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(54) Title: DIGITAL RIGHTS MANAGEMENT SYSTEM OPERATING ON COMPUTING DEVICE AND HAVING BLACK 
BOX TIED TO COMPUTING DEVICE 

(57) Abstract: A digital rights management 
(DRM) system operates on a computing 
device (14) when a user requests that an 
encrypted piece of digital content be rendered 
by the computer device (14). The computing 
device (14) has an identifier. A black box (30) 
performs decryption and encryption functions 
in the DRM system. The black box (30) 
includes a key file and an executable. The 
key file includes at least one black box public 
key and is expected to include the identifier 
of the computing device (14), the black box 
(30) thus being tied to the computing device 
(14) by inclusion of such first identifier. A 
digital license (16) corresponding to the digital 
comer* i* resWenHn' the DRM system and 
includes a decryption key for decrypting the 
encrypted digital content The decryption 
key is expected to be encrypted according to 
the black box public key of the key file of the 
black box (30), the license (16) thus being 
tied to the black box (30) and by extension die 
computing device (14). If the identifier of the 
computing device (14) is in fact different than 
the identifier in the key file of the black box 
(30), a different key file is produced based on 
the black, box public key(s) o£ the key file and 
the different identifier of the computing device 
(14). 
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Title of the Invention 

mm rvtroWl/ fWCV ATTNICr ON COMPUTING 

DIGITAL RIGHTS MAJNAUCmb^ 

DEVICE AND HAVING BLACK BOX TIED TO COMPUTING DEVICE 

Cross-Reference to Related Applications 
This application is related to US. Patent Apportion No. 09/290363, 
fitad April 12. 1999 and entitled "ENFORCEMENT ARCHITECTURE AND METHOD 
FOR DIGITAL RIGHTS MANAGEMENT, and U.S. Provision* Application No. 
6CV126.614, fled March 27. 1999 .nd arntled "ENFORCEMENT ARCHITECTURE 
and METHOD FOR DIGITAL RIGHTS MANAGEMENT, both of which sre heaeby 



10 in«nporatedl)yrefiame.Thi»s W iioannnoi^ 

Apphcation No. 60/176,425, filed January 14, 2000 nnder attorney docket number 
'MSFT-0143' and entitled "ENFORCEMENT ARCHITECTURE AND METHOD FOR 
DIGITAL RIGHTS MANAGEMENT, hereby incorporated by reference. 

Thuappficationisrelatedtoandfiledc<M«nie^ US. Patent 
15 A pph^No.09/5W09,At l o nW D«btN..MSrT^n7/147323.1,e^ 
"PRODUCING A NEW BLACK BOX FOR A DIGITAL RIGHTS MANAGEMENT 
(DRM) SYSTEM"; US. Patent Application No. 09/526,292. Ationrey Docket No. 
MSFT-0118/ 147327.1. entitied "ENCRYPTING A DIGITAL OBJECT BASED ON A 
KEY ID SELECTED THEREFOR"; US. Patent Application No. 09/526*91. Attorney 

ELEMENT BY ASSIGNING A SCALED VALUE REPRESENTATIVE OF THE 
RELATIVE SECURITY THEREOF"; andUS. Patent Apptitation No. 09/525,510, 
A^Docke.No.MSFT.0135 / 147325.1. entitled "RELEASING DECRYPTED 
DIGITAL CONTENT TO AN AUTHENTICATED PATH", each of which is hereby 
25 incoiporated by reference. 

Technical Field 
T^pBsentinyeite^ 
discontent More specifically, the present invention relates to such an enforce 
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architecture that allows access to encrypted.digital coatent only in accordance with 
parameters specified by license rights acquired by a user of the digital content. 

BACKGROUND OF THE INVENTION 



Digital rights management and enforcement is highly desirable in 
5 connection with digital content such as digital audio, digital video, digital text, digital 
data, digital multimedia, etc., where such digital content is to be distributed to users. 
Typical modes of distribution include tangible devices such as a magnetic (floppy) disk, 
a magnetic tape, an optical (compact) disk (CD), etc., and intangible media such as an 
electronic bulletin board, an electronic network, the Internet, etc. Upon being received 
10 by the user, such user renders or 'plays' the digital content with the aid of an appropriate ^ 
rendering device such as a media player on a personal computer or the like. 

Typically, a content owner or rights-owner, such as an author, a publisher, 
a broadcaster, etc. (hereinafter "content owner"), wishes to distribute such digital content 
to a user or recipient in exchange for a license fee or some other consideration. Such 
1 5 content owner, given the choice, would likely wish to restrict what the user can do with 
such distributed digital content For example, the content owner would like to restrict the 
user from copying and re-distributing such content to a second user, at least in a manner 
that denies the content owner a license fee from such second user. 

In addition, the content owner may wish to provide the user with the 
20 flexibility to purchase different types of use licenses at different license fees, while at the 
same time holding the user to the terms of whatever type of license is in fact purchased. 
For example, the content owner may wish to allow distributed digital content to be 
played only a limited number of times, only for a certain total time, only on a certain 
type of machine, only on a certain type of media player, only by a certain type of user, 

25 etc. 

However, after distribution has occurred, such content owner has very 
little if any control over the digital content This is especially problematic in view of the 
feet that practically every new or recent personal computer includes the software and 
hardware necessary to make an exact digital copy of such digital content and to 
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download such exact digital copy to a write-able magnetic or optical disk, or to send such 
exact digital copy over a network such as the Internet to any destination. 



rttUmrm rti* license fee was 

Ul course, as pan oi uic legitimate uwuavuwu — - 

obtained, the content owner may require the user of the digital content to promise not to 
5 re-distribute such digital content However, such a promise is easily made and easily 
broken. A content owner may attempt to prevent such re-distribution through any of 
several known security devices, usually involving encryption and decryption. However, 
there is likely very little that prevents a mildly determined user from decrypting 
encrypted digital content, saving such digital content in an un-encrypted form, and then 

10 re-distributing same. 

A need exists, then, tor providing an enforcement architecture and method 

that allows the controlled rendering or playing of arbitrary forms of digital content, 
where such control is flexible and definable by the content owner of such digital content 
A need also exists for providing a controlled rendering environment on a computing 

g environment includes at least a 



1 5 device such as a personal computer, where the re 

portion of such enforcement architecture. Such controlled rendering environment allows 
that the digital content will only be rendered as specified by the content owner, even 
though the digital content is to be rendered on a computing device which is not under the 

control of the content owner. 

20 Further, a need exists for a trusted component running on the computing 

device, where the trusted component enforces the rights of the content owner on such 
computing device in connection with a piece of digital content even against attempts by 
the user of such computing device to access such digital content in ways not permitted by 
the content owner. As but one example, such a trusted software component prevents a 

25 user of the computing device from making a copy of such digital content except as 

otherwise allowed for by the content owner thereof. 

SUMMARY OF THE INVENTION 
The aforementioned needs are satisfied at least mparthy m enfom 
architecture and method for digital rights management where the architecture and 
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made available to the license server for purposes of encrypting portions of the issued 
license, thereby binding such license to such black box. The private key is available to 
the black box only, and not to the user or anyone eise, for purposes of decrypting 
information encrypted with the corresponding public key. The DRM system is initially 
5 provided with a black box with a public / private key pair, and the user is prompted to 
download from a black box server an updated secure black box when the user first 

requests a license. Tbt^hmmw^tov^^^^™* 1 * 
unique pubUcTprivate key pair. Such updated black box is written in unique executable 
code that will run only on the user's computing device, and is re-updated on a regular 

10 basis. 

When a user requests a license, the client machine sends the black box 
public key, version number, and signature to the license server, and such license server 
issues a license only if the version number is current and the signature is valid Alicense 
request also includes an identification of the digital content for which a license is 
15 requestedandakeymthatiden^^ 

digital content The license server uses the black box public key to encrypt the 
decryption key, and the decryption key to encrypt me license terms, then downloads the 
encrypted decryption key and encrypted license terms to the user's computing device 

along with a license signature. 

20 Once the downloaded license has been stored in the DRM system license 

store, the user can render the digital content according to the rights conferred by the 
license and specifiedin the license terms. When a request is made to render the digital 
content, the black box is caused to decrypt the decryption key and license terms, and a 
DRM system license evaluator evaluates such license terms. The black box decrypts the 

25 encrypted digital content only if the license evaluation results in a decision that the 
requestor is allowed to play such content The dented content is provided to the 
rendering application for rendering. 
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BRIEF DESCRIPTION OF THE DRAWINGS 
The foregoing summary, as well as the following detailed description of 
the embodiments of the present invention, wiii be bener understood when read in 
conjunction with the appended drawings. For the purpose of illustrating the invention, 
5 there are shown in the drawings embodiments which are presently preferred. As should 
be understood, however, the invention is not limited to the precise arrangements and 
instrumentalities shown. In the drawings: 

Fig. 1 is a block diagram showing an enforcement architecture in 
accordance with one embodiment of the present invention; 
10 pig, 2 is a block diagram of the aumoring tool of the architecture of Fig. 1 

in accordance with one embodiment of the present invention; 

Fig. 3 is a block diagram of a digital content package having digital 
content for use in connection with the architecture of Fig. 1 in accordance with one 
embodiment of the present invention; 
15 pig, 4 is a block diagram of the user's computing device of Fig. 1 in 

accordance with one embodiment of the present invention; 

Figs. 5A and 5B are flow diagrams showing the steps performed in 
connection with the Digital Rights Management (DRM) system of me computing device 
of Fig. 4 to render content in accordance with one embodiment of the present invention; 
20 Fig. 6 is a flow diagram showing the steps performed in connection with 

the DRM system of Fig. 4 to determine whether any valid, enabling licenses are present 
in accordance with one embodiment of the present invention; 

Fig. 7 is a flow diagram showing the steps performed in connection with 
the DRM system of Fig. 4 to obtain a license in accordance with one embodiment of the 

25 present invention; 

Fig. 8 is a block diagram of a digital license for use in connection with the 

architecture of Fig. 1 in accordance with one embodiment of the present invention; 
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Fig- 9 is a flow diagram showing the steps perfonned in connection with 
e DRM system of Fig. 4 to obtain a new black box in accordance with one embodiment 

of the present invention; 

Fig. 10 is a flow diagram showing the key transaction steps performed in 
connection with the DRM system of Fig. 4 to validate a license and a piece of digital 
content and render the content in accordance with one embodiment of the present 
invention; 

Fig. 11 is a block diagram showing the license evaluator of Fig. 4 along 
with aDigital Rights License (DRL) of alicense and a language engine for interpreting 
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Fig. 12 is a block diagram representing a general purpose computer 
system in which aspects of the present invention and/or portions thereof may be 
incorporated; 

Fig. 13 is a block diagram showing a representative path between a 
1 5 rendering application and an ultimate destination; 

Figs. 14-16 are flow diagrams showing various steps performed during 

authentication of the path of Fig. 13; 

Fig. 17 is a flow diagrams showing various steps perfonned during 
security approval of the rendering application or a path module of Fig. 13; 
20 Fig. 1 8 is a flow diagram showing various steps performed during 

derivation of a decryption key (KD) from a key ID); 

Fig. 19 is a block diagram showing apparatus employed to produce a new 
individualized bb.dll and a new key file for a black box in one embodiment of the present 



inv 



25 pigs. 20A-20D are flow diagrams showing various steps performed in 

connection with the apparatus shown in Fig. 19; 

Fig. 21 is a flow diagram showing various steps performed during backup 

/ restore of ahlackbox; and. 
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Fig. 22 is a flow diagram showing various steps performed during backup 
/ restore of a digital license. 

..rmiwnnv nv TOT 1 . INVENTION 

DE'l AlLpfcU litovxwu 
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distributed computing environment, program modules may be located in both local and 

remote memory storage devices. 

As shown in Fig. 12, an exemplary general purpose computing system 

includes a conventional personal computer 120 or the like, including a processing unit 
5 121, a system memory 122, and a system bus 123 that couples various system 

components including the system memory to the processing unit 121 . The system bus 

123 may be any of several types of bus structures including a memory bus or memory 

controller, a peripheral bus, and a local bus using any of a variety of bus architectures. 

The system memory includes read-only memory (ROM) 124 and random access memory 
10 (RAM) 125. A basic input/output system 126 (BIOS), containing the basic routines that 

help to transfer information between elements within the personal computer 120, such as 

during start-up, is stored in ROM 124. 

The personal computer 120 may further include a hard disk drive 127 for 
reading from and writing to a hard disk (not shown), a magnetic disk drive 128 for 

15 reading from or writing to a removable magnetic disk 129, and an optical disk drive 130 
for reading from or writing to a removable optical disk 1 3 1 such as a CD-ROM or other 
optical media The hard disk drive 127, magnetic disk drive 128, and optical disk drive 
130 are connected to the system bus 123 by a hard disk drive interface 132, a magnetic 
disk drive interface 133, and an optical drive interface 134, respectively. The drives and 

20 their associated computer-readable media provide non-volatile storage of computer 
readable instructions, data structures, program modules and other data for the personal 



co: 



20. 



Although the exemplary environment described herein employs a hard 
disk, a removable magnetic disk 129, and a removable optical disk 131, it should be 
25 appreciated that other types of computer readable media which can store data that is 
accessible by a computer may also be used in the exemplary operating environment 
Such other types of media include a magnetic cassette, a flash memory card, a digital 
video disk, a B emouffi cartridge, a random access memory (RAM), a read-only memory 
(ROM), and the like. 
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A number of program modules may be stored on the hard disk, magnetic 
disk 129, optical disk 131, ROM 124 or RAM 125, including an operating system 135, 
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138. A user may enter commands and information into the personal computer 120 
5 through input devices such as a keyboard 140 and pointing device 142. Other input 
devices (not shown) may include a microphone, joystick, game pad, satellite disk, 
scanner, or the like. These and other input devices are often connected to the processing 
unit 121 through a serial port interface 146 that is coupled to the system bus, but may be 
connected by other interfaces, such as a parallel port, game port, or universal serial bus 
10 (USB). A monitor 147 or other type of display device is also connected to the system 
bus 123 via an interface, such as a video adapter 148. In addition to the monitor 147, a 
personal computer typically includes other peripheral output devices (not shown), such 
as speakers and printers. The exemplary system of Fig. 12 also includes a host adapter 
155; a Small Computer System Interface (SCSI) bus 156, and an external storage device 

15 162 connected to the SCSI bus 156. 

The personal computer 120 may operate in a networked environment 
using logical connections to one or more remote computers, such as a remote computer 
149. The remote computer 149 may be another personal computer, a server, a router, a 
network PC, a peer device or other common network node, and typically includes many 

20 or all of the elements described above relative to the personal computer 120, although 
only a memory storage device 150 has been illustrated in Fig. 12. The logical 
connections depicted in Fig. 12 include a local area network (LAN) 151 and a wide area 
network (WAN) 152. Such networking environments are commonplace in offices, 
enterprise-wide computer networks, intranets, and the Internet 

25 When used in a LAN networking environment, the personal computer 120 

is connected to the LAN 151 through a network interface or adapter 153. When used in a 
WAN networking environment, the personal computer 120 typically includes a modem 
154 or othetmeansfbr «^lishing,conmiimican^ over the wide area network 152,. 
such as the Internet The modem 154, which may be internal or external, is connected to 
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program modules depicted relative to the personal computer 120, or portions thereof; 
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network connections shown are exemplary and other means of establishing a 
communications link between the computers may be used. 
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ARCHITECTURE 
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. , m11> „ mntent-kev database 20, a content server 

architecture 10 includes an authoring tool 18, a content Key aaiao 
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10 computing device 14. 
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broadcast 

In one embodiment of the present invention, the encryption / decryption 
— +Um ^;mtoi ******* ic a symmetric lccv. in that the encryption key is 

fi.Gy UUU WilWJ.J|/w ***** » w * » ' 

also the decryption key (BCD). As will be discussed below in more detail, such 
5 decryption key (KD) is delivered to a user's computing device 14 in a bidden form as 
part of a license 16 for such digital content 12. Preferably, each piece of digital content 
12 is provided with a content ID (or each package 12p is provided with a package ID), 
each decryption key (KD) has a key ID, and the authoring tool 18 causes the decryption 
key (KD), key ID, and content ID (or package ID) for each piece of digital content 12 (or 
10 eachpackage 12p) to be stored in the content-key database 20. In addition, license data . 
regarding the types of licenses 16 to be issued for the digital content 12 and the terms 
and conditions for each type of license 16 may be stored in the content-key database 20, 
or else in another database (not shown). Preferably, the license data can be modified by 
the content owner at a later time as circumstances and market conditions may require. 
15 In use, the authoring tool 18 is supplied with information including, 

among other things: 

- the digital content 12 to be packaged; 

- the type and parameters of watermarking and/or fingerprinting to be 
employed, if any; 

2 0 -the type and parameters of data compression to be employed, if any, 

- the type and parameters of encryption to be employed; 

- the type and parameters of serialization to be employed, if any; and 

- the instructions and/or rules that are to accompany the digital content 12. 
As is known, a watermark is a hidden, computer-readable signal that is 

25 added to the digital content 12 as an identifier. A fingerprint is a watermark that is 
different for each instance. As should be understood, an instance is a version of the 
digital content 12 that is unique. Multiple copies of any instance may be made, and any 
copy is of aparticular instance. When a specific instance of digital content 12 is illegally 
sold or broadcast, an investigative authority can perhaps identify suspects according to 
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thc watermark / fingerprint added to such digital comem * 

Datecompressionmay be performed according to any appropriate 
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info^nation , ) to be packaged with the digital content 12 in the package 
12p. 

it.. «« M Afmnvtrio that is to occur and 

- Uiv ±J 1 o 

. the name of the output file 29b to which the package 12p based on the 

5 digital content 12 is to be written. 

As should be understood, such dictionary 28 is easily and quickly 
modifiable by an operator of the authoring tool 1 8 (human or machine), and therefore the 
type of authoring performed by the authoring tool 1 8 is likewise easily and quickly 
modifiable in a dynamic manner. In one embodiment of the present invention, the 

10 authoring tool 18 includes an operator interface (not shown) displayable on a computer 
screen to a human operator. Accordingly, such operator may modify the dictionary 28 
by way of the interface, and further may be appropriately aided and/or restricted in 
modifying the dictionary 28 by way of the interface. 

In the authoring tool 1 8, and as seen in Fig. 2, a source filter 1 8a receives 

15 the name of the input file 29a having the digital content 12 from the dictionary 28, and 
retrieves such digital content 12 from such input file and places the digital content 12 
into a memory 29c such as a RAM or the like. An encoding filter 18b then performs 
encoding on the digital content 12 in the memory 29c to transfer the file from the input 
format to the output format according to the type of encoding specified in the dictic— 

20 V^^m.^**^*^* 1 ^*^""**** 
memory 29c. As shown, the digital content 12 to be packaged (music, e.g.) is received m 

a compressed format such as the . wav or mp3 format, and is transformed into a format 
snch as the .asp (active streaming protocol) format Of course, other input and output 
fonnatsmay be employed without departmgfmm toe spirit and sccpe of me present 

25 invention. 

Thereafter, an encryption filter 18c encrypts the encoded digital content 
1 2 in the memory 29c according to the encryption / decryption key (KD) specified in the 
dictbna^a^^ 

filter 18d then adds the header information specified in the dictionary 28 to the encrypted 
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digital content 12 in the memory 29c. 

As should be understood, depending on the situation, the package 12p 
may include multiple streams of temporally aligned digital content 12 (one stream being 
shown in Fig. 2), where such multiple streams are multiplexed (i.e., 'muxed'). 
5 Accordingly, a mux filter 18e performs muxing on the header information and encrypted 
digital content 12 in the memory 29c according to the type of muxing specified in the 
dictionary 28, and places the result in the memory 29c. A file writer filter 1 8f then 
retrieves the result from the memory 29c and writes such result to the output file 29b 
specified in the dictionary 28 as the package 12p. 
!0 It should be noted that in certain circumstances, the type of encoding to be 

performed will not normally change. Since the type of muxing typically is based on the 
type of encoding, it is likewise the case that the type of muxing will not normally change, 
either. If mis is in feet the case, the dictionary 28 need not include parameters on the 
type of encoding and/or the type of muxing. Instead, it is only necessary that the type of 
15 encoding be 'hardwired' into the encoding filter and/or that the type of muxing be 

'hardwired' into the mux filter. Of course, as circumstance require, the authoring tool 18 
may not include all of the aforementioned filters, or may include other filters, and any 
included filter may be hardwired or may perform its function according to parameters 
specified in the dictionary 28, all without departing from the spirit and scope of the 

20 present invention. 

Preferably, the authoring tool 18 is implemented on an appropriate 
computer, processor, or other computing machine by way of appropriate software. The 
structure and operation of such machine and such software should be apparent based on 
the disclosure herein and therefore do not require any detailed discussion in the present 

25 disclosure. 

ARCHITECTURE - Content Server 22 

Refenin&againtoEig, Uinon& 
content server 22 distributes or otherwise makes available for retrieval the packages 12p 
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produced by the authoring tool 18. Such packages 12p may be distributed as requested 
by the content server 22 by way of any appropriate distribution channel without 
departing from the spirit and scope of the present invention. For example, such 
distribution channel may be the Internet or another network, an electronic bulletin board, 
5 electronic mail, or the like. In addition, the content server 22 may be employed to copy 
the packages 1 2p onto magnetic or optical disks or other storage devices, and such 

storage devices may then be distributed. 

It will be appreciated that the content server 22 distributes packages 12p 
without regard to any trust or security issues. As discussed below, such issues are dealt 

10 with in connection with the license server 24 and the relationship between such license ^ 
server 24 and the user's imputing device 14. m one embodiment of the present 
invention, the content server 22 freely releases and distributes packages 12p having 
digital content 12 to any distributee requesting same. However, the content server 22 
"may also release and distribute such packages 1 2p in a restricted manner without 

15 departing from the spirit and scope of the present invention. For example, the content 
server 22 may first require payment of a predetermined distribution fee prior to 
distribution, or may require that a distributee identify itself, or may indeed make a 
determination of whether distribution is to occur based on an identification of the 
distributee. 

In addition, the content server 22 may be employed to perform inventory 
management by controlling the authoring tool 18 to generate a number of different 
packages 12p in advance to meet an anticipated demand For example, the server could 
generate 100 packages 12p based on the same digital content 12, and serve each package 
12p 10 times. As supplies of packages 12p dwindle to 20, for example, the content 
25 server 22 may then direct the authoring tool 18 to generate 80 additional packages 12p, 

again for example. 

Preferably, the content server 22 in the architecture 10 has a unique public 

/ privatokey pak(B^ 

license 16 and obtaining a decryption key (KD) for decrypting corresponding digital 



20 
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conteni 12, as will be explained in more detail below. As is known, a public / private 
key pair i» an asymmetric key. in that what is encrypted in one of the keys in the key pair 
can only be decrypted by the other of the keys in the key pair. In a pubiic / private key 
pair encryption system, the public key may be made known to the world, but the private 
5 key should always be held in confidence by the owner of such private key. Accordingly, 
if the content server 22 encrypts data with its private key (PR-CS), it can send the 
encrypted data out into the world with its public key (PU-CS) for decryption purposes. 
Correspondingly, if an external device wants to send data to the content server 22 so that 
only such content server 22 can decrypt such data, such external device must first obtain 
10 the public key of the content server 22 (PU-CS) and then must encrypt the data with such 
public key. Accordingly, the content server 22 (and only the content server 22) can then 
employ its private key (PR-CS) to decrypt such encrypted data. 

As with the authoring tool 1 8, the content server 22 is implemented on an 
appropriate computer, processor, or other computing machine by way of appropriate 
15 software. The structure and operation of such machine and such software should be 
apparent based on the disclosure herein and therefore do not require any detailed 
discussion in the present disclosure. Moreover, in one embodiment of the present 
invention, the authoring tool 18 and the content server 22 may reside on a single 
computer, processor, or other computing machine, each in a separate work space. It 
20 should be recognized, moreover, that the content server 22 may in certain circumstances 
include the authoring tool 18 and/or perform the functions of the authoring tool 18, as 
discussed above. 

Structure of Digita l Content Package 12i 

Referring now to Fig. 3, in one embodiment of the present invention, the 
25 digital content package 12p as distributed by the content server 22 includes: 

- the digital content 12 encrypted with me encryption / decryption key 
(TKD), as was discussed above (Le., (HXCONTENT))k , 

- the content ID (or package ID) of such digital content 12 (or package 
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12p); 

. the key ID of the decryption key (KD); 
- license acquisition information, preferably in an uwyp™ 
. the key KD encrypting the content server 22 public key (PU-CS), signed 
by the content server 22 private key (PR-CS) (i.e., (KD (PU-CS) S (PR- 
CS))). 

With regard to (KD (PU-CS) S (PR-CS)), it is to be understood that such 
is to beusedmconnectionwithvalidatingtiie digital content 12 and/or package 
llaswillbeexplainedbelow. Unlike a certificate with a digital signage (see below), 
the key (PU-CS) is not necessary to get at (KD (PU-CS)). Instead, the key (PU-CS] £ % - 
obtainedmererybyapplyingthedecryptionkey^). Once so obtained, such key (PU- 
CS) may be employed to test the validity of the signature (S (PR-CS)). 



item 



J 




id 





.-H^MMft lto »m;..-tab,wn»-**"--" B « J2 

for example include the steps of: 

. the content server 22 sending (PU-CS) to the authoring tool 18; 
. the authoring tool 1 8 encrypting (PU-CS) with (KD) to produce (KD 

(PU-CS)); 

. the authoring tool 18 sending (KD (PU-CS)) to the content server 22; 
. the content server 22 signing (KD (PU-CS)) with (PR-CS) to produce 
(KD (PU-CS) S (PR-CS)); and 

. the content server 22 sending (KD (PU-CS) S (PR-CS)) to the authoring 



20 



25 



tool 18. 
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license server 24 performs the functions of receiving a request for a license 16 from a 
user's computing device 14 in connection with apiece of digital content 12, determining 

__ 1 a — fnict^H tn honor an issued license 16, 
whether the user s computing u*vn^ ^ 

l oto to«s«'8comp*ingdevicel4. PrefeK *ly, M chliaDsniit tt dHc a «16mclud« 

^suchfa^wmbe^laiDedtamoMdeOilbdow. Prefcsably.andltoto 
^ ! « w 22,teU«=»*r,« r 24h l terft««rel0te.-q«ep»bli«/pri^ 
to, (PU-LS, PR-LS) tot is employ* . p* of to P«>«a of evrtnding a been* 
16 «, obtaining . d«ryption key <D» to to^-"*"***""*"** 
as wffl be explained in more detail below. 

24 is implemented on an appropriate computer, processor, or other computing machine 
bywayofsppropratesoftw^ The smcture and operation of such mthine and such 
15 sof^shouldbeappsetanbssedontodisclo^ 

^detari^ttatussioninftepresontdiscloaure. Moreover, mono embodiment of to 

^ faveotion the authoring tool 18 and/or the *** server 22 m* reside on » 
^c^.procew.oroti^c.mputingn^roge^wimtirctice^es^ 

24 each in a separate workspace. 
jO ' b one embodiment of the present invention, prior to taw of Uce»*e 

are, wherein to hc«s. s«v« 24 in effect agrees to be to licensing authority for at 
l^,pottionoftedigMcont^l2distibutrfbytocn.t a »s«v«r22. Asahouldbs 
^^a.oco.mm^mny^mroan^^reememortohkewim 

j5 several license servers 24, md/oroi»liceosesaver24may enter into an agency 
ag ^ ()tte Hk.wims^eon«n.s«rv ro 22, a nwim^d«p^iromto 

soirit and acopeofthe present invention. ... 



Puferabt 
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server 22. To do so, it is preferable that the license server 24 send to the content server 
22 the license server 24 public key (PU-LS), and that the content server 22 then send to 

the license server 24 a digital certtncate comammg r u-w - — ~—~ - 

— serves 22 private key (CERT (PU-LS) S (PR-CS)). As should be understood, (he 
S contente (PU-LS) to such certfflcatem^ 

ptbliclreytTO-CS). As should also be understood, to general a digital signature of 
mde/m data is . encrypted form of stmh dtua. and wm not mach such da. when 
teryptoJ if such data has been adulterated or ouwwise modified. 

As a licensing authority in connection with a piece of digital content 12, 

decryption key (KD) for such digital amtent 12. Accordingly, it is prefer^ M 
Been* server 24 have aoeess to the cor.te.toy datetas. 20 W baa foe dectyptioukey 
(KD) ^ro, a nd M nte«ro(ori^n))fotsuchdigitalc^l2(orp il ok^ 



12p). 



rfECTURE 



Still lefenfag to Fig, 1, to one embodhnent of the presmt invention, the 
bUek box server 26 perfortns foe taction, of staffing and/or upgrading a new black 
tax 30 to a user's computing device 14. A. wfl be explain* to n^detml below, the 
Hack bos 30 performs encryption snd d*ryption tactions for foe user's conrpubng 
20 devie.14. As win also be explained to more deteil below, foe b1*k box 30 ia intended 
tobesecuKandpntt^nxmaltact Such security and protection is ptovded, at least 
topart.bynpgr^ft.bl^boxSOto.KWveraon^neeasarybywayoffoebtek 

box sava 26, as will be explained to more detail below. 

A>wiflltoB ^tooll8,foec<mtentsava22,«rifoen<«s.« W 

25 24t h.blaokbox S ^26iato»lan«m«don mV p^con»ute r ,proc«sor.or 
o.herconmutingn^.byw^ofapp^priatesonw^ rhesttKuueandoperanonof 
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one embodiment of the present invention the license server 24, the authoring tool 1 8, 



with the black box server w»*u m » -f 



computing machine together 
Note, ta*. «* * — * W-* * - » * ™ 40 fc ^ ta 
5 on a separate machine. 




^now to Fig. 4, in one embodiment of *e present inventor, the 
^ s computing device 1 4 is a personal computer or the IDce, hav^ elements mcluding 

,_,«, sAM.ROM,atoiddrive,afloppy<tave,a 

U CD player,^ the lite However 

dedicated viewing devioesoch as. telemon or momtor.adataUedaooi 
as.^or.tomeaiep^.adedio^^o.^lfe'^^' 1 "^' 11 

Tta eooteBt own* for a piece of digtal coatent 12 must mat tha< the 
^ * Prefoaab.y.foeo.*.^^ 

20 «cep«^fofoeUe«»r^ a nW«d i nd»lic al a..««aoc M ted^«» 
diritaleontentl2andobtaiiiedbyfoeuaer. 

^^d^w^^^.lie-.dte^foed^eonr.. 
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. „ , ... u ^ in connection with the architecture 10 
system 32 on the user's computing device 14 ana in comwvu 



are described below. 



5 



10 



DRM SYSTEM32 

10 disclosed herein: (1) contort acquisition, (2) license acquisition, (3) content rendering, 

require that digital content 12 be acquired. 
nitM SYSTEM 31 - Content AconMUon 

^ta.f^ctmtentlJby.nserand/o.tb.nset'sc.M^ 

amen, is rr j TffiM svstent 32 disclosed herein, it is necessary 

toW o*vritiltJ«architectuiel0andtheDmsystem3^ 

« to ^^«^.2b.in. to ^— »^«^ 10 



15 an< 



manner 



lie)H 



20 



25 



^reopeo^prerentin^o. 

,12, once obtained, Uprefetably stored m.n»nnei 



Such digital o 
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or magnetic disk or the like, it may only be necessary that such disk be present in an 
appropriate drive (not shown) coupled to the user's computing device 14. 

. ui a —~~;~~*A fViof oflv snftrial tools are 

In tbe present invention, n ia uvn **** ~~ — v * 
necessary to acquire digital content 12, either from the content server 22 as a direct 

5 distribution source or from some intermediary as an indirect distribution source. That is, 
it is preferable that digital content 12 be as easily acquired as any other data file. 
However, the DRM system 32 and/or the rendering application 34 may include an 
interface (not shown) designed to assist the user m obtaming digital content 12 . For 
example, the interface may include a web browser especially designed to search for 

10 digital content 12,1^ 
digital content 12, and the like. 

nmw SYSTEM 32 - Content Rendering, Part 1 

Referring now to Fig. 5A, in one 



.j 1 11 flit!" Ill 14! 



it of the present invention, 
assuming the ^Jdigxtal cJent 12 has been distributed to and received by a user 

will attempt to render the digital content 1 2 by executing some variation on a render 
C ommand(step501). For example, such render commandmay be embodied as a request 
to 'play' or 'open' the digital content 12. In some computing environments, such as for 
example the "MICROSOFT WINDOWS" operating system, distributed by 
20 MICROSOFT C^rationofRe^ 

anmand may be employed without departing from 



other 









ii ii 



•JIMM 



died as a 



considered to be executed whenever a user directs that a file havmg org* 

25 opened, run, executed, and/or the like. 

Importantly, and in addition, such render command may be 

^tacopyAadig^^ 

« ^ w etc. Asshouldbeunderstood, the same digital content 12maybe 
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rendered in one form, such as on a computer screen, and then in another form, such as a 
printed document In the present invention, each type of rendering is performed only if 
the user has the right to do so, as will be explained below. 

In one embodiment of the present invention, the digital content 12 is in 
the form of a digital file having a file name ending with an extension, and the computing 
device 14 can determine based on such extension to start a particular kind of rendering 
application 34. For example, if the file name extension indicates that the digital content 
12 is atext file, the rendering application 34 is some form of word processor such as the 
••MICROSOFT WORD", distributed by MICROSOFT Corporation of Redmond, 
Washington. Likewise, if the file name extension indicates that the digital content 12 is 
an audio, video, and/or multimedia file, the rendering application 34 is some form of 
multimedia player, such as "MICROSOFT MEDIA PLAYER", also distributed by 
MICROSOFT Corporation of Redmond, Washington. 

Of course, other methods of determining a rendering application may be 
ployed without departing from the spirit and scope of the present invention. As but 
one example, the digital content 12 may contain meta-data in an un-encrypted form (i.e., 
the aforementioned header information), where the meta-data includes information on the 
type of rendering application 34 necessary to render such digital content 12. 

Preferably, such rendering application 34 examines the digital content 12 
20 associa*?d with the file name and determines whether such digital content 12 is encrypted 
in a rights-protected form (steps 503, 505). If not protected, the digital content 12 may 
be rendered without further ado (step 507). If protected, the rendering application 34 
determines from the encrypted digital content 12 that the DRM system 32 is necessary to 
play such digital content 12. Accordingly, such rendering application 34 directs the 
25 user's computing device 14 to run the DRM system 32 thereon (step 509). Such 

g apphcation 34 then calls such DRM system 32 to decrypt the digital content 12 
(step 51 1). As will be discussed in more detail below, the DRM system 32 in fcct 
decrypts the digital content 12 only if the user has a. valid license 16 for such digita l 
content 12 and the right to play the digital content 12 according to the license rules in the 
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vafidficense 16. Preferably, once the DRM system 32 has been called by the rendering 
appUcation 34, such DRM system 32 assumes control from the rendering appUcation 34, 

..... — « noVittn nlav such disrital 

at least for purposes of determmmg wnciuci u*^. *~ 

content 12 (step 513). 



5 DRM System 3 2 Components 

In one embodiment of the present invention, and referring again to Fig. 4, 
i 32 includes a license evaluator 36, the black box 30, a license store 38, 



theDRMsyste 
and a state store 40. 

nPM System 31 C-T"""" " Umat ggiHSg * 

^ te U«n« ^« m ^ 16, ^ tased «. 4. ^viewed 

^ninthen^sou^^otettogs. As should be tmdastood, to 
15 Hc^evalu^fa.u^co^fotoDRMsys^. 

MM to be W «- « * i— — 24 < OT m)r 0to "™* 

i8 satisfied to. to Mrf *— I * «-» "* fc ° f *" <Wn ° ° f ** *^ 
c ^ 1 2^»tori^d«=npd min toU«n S .l«,a»dto,a 0 «rc3n n o« 

easily alter such trusted etencot for soy purpose, nefarious or otherwise. 

^a^Mwfflmfoctev^.Uc^ldproptsly.aod^en^thsts^h 

Uc^e^a^no.bee.s^ul^or.to^nrodrfiedby.usorforto 

p^ofb^sxtusle^oo.f.lic^ld.Ace^.thelrcense 

ev ^3«i S runta.pro^or.i ro .d«d«« 
a ^^tnm*****- Ofherprottorivemess^smayofcourseb. 

. ^u t t 1R ii c ^evaluata34wilho^ 
Ptmployedin connnrtio^wuiiine ucBH»c yaw »*»». 

and scope of the present invention. 
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DRM System 32 Componen ts - Black Boi 30 

nj^^ltr mH oq urns discussed above, the black box 30 performs 

X11XUCU*V» — 

encryption and decryption fonctkms in the DRM system 32. In particolar, the black box 
30 works in conjttnction with the license evatorttor 36 to decrypt and encrypt cestan 
in^onaspartofteUocrnseeytdutUionnmction. In addition, once the license 
estate 36 defcnninea fo* » » docs in foot hm the right to rende, the rented 
aigtol content 12 in the mtm*r scnght, the ttak boa 30 i. pnmded with a decryption 
key (KD) for such digiul oontent 12, and performs dr. amotion of deoyptingauch 

digital content 12 based on such decryption key (KD). 

Theblackbox30isalao.ttnstedcornponei«tafheDRMays^ In 

n^edbyaoseafotfoonefori^p^ofbyp^actoal^onofatic^s. 
16 Accontingly.dKblankboxSOi.alsonBtoapn.tectedorata.nd^ 

maanea may be employed in connection srith the black box 30 without departing ftom 
tespiritandscnpeofthepr^mveotion Prcfembly, and hke me comen. serve, 22 
a ndU«nseaerve,24,m.blackbox30mfoeD BM aya«n32 ta aaum^pnbhc/ 

priv ^^p^(PS>BB,P R -BB)m a i.^loy«d M p«offoeP^»f^- n « 

tte ^,6^^d^.d^^(ro)fotti^^^«» to,,J - 

as willbe described m more detail below. 

DUM SttIt- •» s-.mponentt - License Store 38 

!^^«38^res license 16 mewed by me DRM system 32 
25 ^con^digMcon^a^hc^s^Jgi^neednotben^smce 

to Ucena. 38 merely a^ licenee. 16, e^ of which ah«dy baa tins, 
con^entabnil.thoeinto.aawmbedeacribedbd^. In one embodiment of foe 
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present invention, the license store 38 is merely a sub-directory of a drive such as a hard 
disk drive or a network drive. However, the license store 38 may be embodied in any 

• j * ~r M ««cDni inv*n firm, .on lone 

other form without departing trom ine spun «mu 0 *^v - — i 

as such license store 38 performs the function of storing licenses 16 in a location 
relatively convenient to the DRM system 32. 



npM System 32 Compone nts - State Store 40 

The state store 40 performs the function of niamtaining state information 
corresponding to licenses 16 presently or formerly in the license store 38. Such state 
information is created by the DRM system 32 and stored in the state store 40 as 
10 necessary. For example, ^particular license 16 only allows a predetermined number 
of renderings of a piece of corresponding digital content 12, the state store 40 maintains 
state information on how many renderings have in fact taken place in connection with 
sublicense 16. The state store 40 continues to maintain state mformation on Ucenses 16 
that are no longer in the license store 3 8 to avoid the situation where it would otherwise 
15 be advantageous to delete a license 16 from the license store 38 and then obtain an 
identical license 16 in an attempt to delete the corresponding state information from the 

state store 40. 

The state store 40 also has to be trusted in order to ensure that the 
information stored therein is not reset to a state more favorable to a user. Accordingly, 
20 the state store 40 is likewise run in a protected or shrouded environment such that the 
userisd^edaccesstosuchstatestore^. Once again, other protective measures may 
of course be employed in connection with the state store 40 without departing from the 
sp^tandscopeoftoepres^invention. For example, the state store 40 may be stored 
by the DRM system 32 on the computing device 14 in an encrypted form. 

25 D RM SYSTEM « ■ Content Ren dering, Part 2 

Rcferringagainto fig, 5A,.andagaiadi^^ 

embotoent of Represent m^ 
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fro m the calling rendering application 34, sucn ^ ~ ~~ . 

Ui u ° _ „~ o valid, enabling 

to manner sought to prieular, to DRM system « — -"• " 

fc- 16 into ta. ~ <"P« «. "> « • ' "f* 

djscuasedbelowandasshosrainFig.7)- 

A, , U and refcring now to F* 6, to license evduamr 3* »f 

""^^ . Tvoicdlv the user wffl receive <1» digital 

spirit and scope of to present invention. Typically, me 

* ... , 6 .i^nAHwffllikewue be recognized mat the 

anient 12 svitom such hconse 16, almougnn™ 

. . ™™«nn«diM license 16 witout departing 
digital content 12 may be received mm a corresponding neense 

15 femto spirit and scope of to present invention. 

MwB d^^n,com,ec6on»«hFtg. 3 .«cbp.«.ofd,gM 

, uliam.n^l*^'^ 11 '^^ 11 '' 1 ^'' 0 * 
content 12 is in apacKagci*H nrr\\ that will 

, n2tao 1 d 0 Bl2p),«nd.l«ylDi*^ tod ^ <mtey( ^ ) 
cmaumorpactogeUPJ. p^l^abw the content ID (or package©) and 

decrypt to encrypted digital content 12 Preferably, me co t 

**«----"" i, r fc 1 r!z; 

25 ntou^h^undnple^ofsnchh^^^tottoU^ 

ra ^mgimlc 0 n,^12,toD M ay Stt m32m Vto p«^totoc 0 on.f 

U^ ls< p S itirm( 5tt »51S0ttig t 5X.mhnd^beU»- 

A^uowmtftoDMs^basb^r^tor^dera 
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piece of digital content 12, and one or more licenses 16 corresponding thereto are present 
in the license store 38. In one embodiment of the present invention, then, the license 

for each such license 16 
evaluator 36 oi tne ukm system ^ yivww- ~ 

^ such B«nso 16 itself b vtfd V* « -d 605 of Fig. 6). P»M*. -* » 
pafeta, «fe 16 toh*. . digital * 



evtotor 36 cm defcnata bad « to digW agn««« 26 wtotortocoaeotMu™ 
action tattoo dorfedM^^ 

Be** 16, to tans, oval— 36 of to DRM system 32 «rt d— « whether sooh 
^Bc^Wgiv-to^tongBto^tocont^digW^UM 

,5 to^desW^^ling)^^^ 609 )- kP-**'"*- 
^36de t «-n«wb^to«^^tate'*»P ta >' a ^" e9rf 

121—- 16 mdbBd0, "* a ' 
teosaisl t ffi m I ^todowi*todi 8 We« m te 0 tl2. Fot example, sochngta 
^ mm y^to«s««o Bote todgiUlco» t «n.l2in to sso» n d > b».no. ml o. 

20 decrypted digital copy. 

As should be understood, the rights description in each license 1 6 

^fcchidiiswho^ 

thedate the time, etc. In addition, the rights description may limittheUcensel6toa 
p^ctennmednumberofpUys.orpre^ermm^ 

. _ Cental content 12 has been rendered, the total amount of tune 
(i.e., how many tunes the digital conteni u oas 

, „ nm/iorMi etc ^ where such state information is stored in 
the digital content 12 has been rendered, etc. j, wnere sum 
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the state store 40 of the DRM system 32 on the user's computing device 14. 

Accordingly, the license evaluator 36 of the DRM system 32 reviews the 

whether such valid license 16 
rights description oi van** uwv*«v * ~ ~ 

confers the rights sought to the user. In doing so, the license evaluator 36 may have to 
5 refer to other data local to the user's computing device 14 to perform a determination of 
whether the user has the rights sought As seen in Fig. 4, such data may include an 
identification 42 of the user's computing device (machine) 14 and particular aspects 
thereof, an identification 44 of the user and particular aspects thereof, an identification of 
the rendering application 34 and particular aspects thereof, a system clock 46, and the 
10 like. If no validlicense 16 is found that provides the user wilh the right to render the 
digital content 12 in the manner sought, the DRM system 32 may then perform the 
license acquisition function described below to obtain such a license 16, if in fact such a 

license 16 is obtainable. 

Of course, in some instances the user cannot obtain the right to render the 

15 digital content 12 in the manner requested, because the content owner of such digital 
content 12 has in effect directed that such right notbe granted. For example, the content 
owner of such digital content 12 may have directed that no license 16 be granted to allow 
a user to print a text document, or to copy a multimedia presentation into an un- 
encrypted form In one embodiment of the present invention, the digital content 12 

20 include, data on what rights are available upon purchase of a license 16, and types of 
licenses^ available. However, it wffl be agnized that me content ovmer of a pieco 
digital content 12 may at any time change the rights currently available for such digital 
content 12 by changing the licenses lo"avaflabIe for such digital content 12. 



25 



nPM S YSTEM 32 - Licens e Acquisition 

Referring now to Fig. 7, if in fact the license evaluator 36 does not find in 
the license store 38 any valid, enabling license 16 corresponding to the requested digital 
content 12, the DRM system 32 may then perform the function of license acquisition. As 
shown in Fig. 3, each piece of digital content 12 is packaged with information in an un- 
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encrypted form regarding how to obtain a license 16 for rendering such digital content 12 

(i.e., license acquisition information). 

t w; m «,t nfthfi present invention, such license acquisition 

! ■■ VUV VUAWWI—- — — *' 

information may include (among other things) types of licenses 16 available, and one or 
5 more Internet web sites or other site information at which one or more appropriate 
license servers 24 may be accessed, where each such license server 24 is in fact capable 
of issuing a license 16 corresponding to the digital content 12. Of course, the license 16 
may be obtained in other manners without departing from the spirit and scope of the 
present invention. For example, ihelicense 16 may be 0 otainedfe m aUcenseserver24 
10 at an electronic bulletin board, or even in person or via regular mail in the form of a file ^ 

on a magnetic or optical disk or the like. 

Assuming that the location for obtaining a license 1 6 is in fact a license 
server 24 on a network, the license evaluator 36 then establishes a network connection to 
such license server 24 based on the web site or other site information, and then sends a 
15 request for a license 16 from such connected license server 24 (steps 701, 703). In 
particular, once the DRM system 32 has contacted the license server 24, such DRM 
system 32 transmits appropriate license request information 36 to such license server 24. 

mv^tioiL such license 16 request information 36 ma) 



•ninm 



include 

20 



- the public key of the black box 30 of the DRM system 32 (PU-BB); 

- the version number of the black box 30 of the DRM system 32; 

. a certificate with a digital signature from a certifying authority certifying 
the black Box 30 (where the certificate may in fact include the 
aforementioned public key and version number of the black box 30); 
25 . the content ID (or package ID) that identifies the digital content 12 (or 



package 12p); 

. the key ID that identifies the decryption key (KD) for decrypting the 
digital content 12; 

. the type of license 16 requested (if in fact multiple types are available); 
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- the type of rendering application 34 that requested rendering of the 

digital content 12; 
and/or the like, among other things. Of course, grwicr ox 
request information 36 may be transmitted to the license server 24 by the DRM system 
5 32 without departing from the spirit and scope of the present invention. For example, 
information on the type of rendering application 34 may not be necessary, while 
additional information about foe user and/or foe user's computing device 14 may be 
necessary. 

Once foe license server 24 has received the license 16 request information 
10 36 from the DRM system 32, the license server 24 may then perform several checks fox ^ 
trust / authentication and for other purposes, m one embodiment of the present 
invention, such license server 24 checks foe certificate with foe digital signature of foe 
certifying authority to determine whether such has been adulterated or otherwise 
modified (steps 705, 707). Ifso, foe license server 24 refuses to grant anyhcensel6 

IS basedonfoereqoestinfo^ 

known 'bad' users and/or user's computing devices 14, andmay refuse to grant any 
license 16 based on a request from any such bad user and/or bad user's computing devace 
Uon foe list Such 'bad' list may be compiled in any appropriate manner without 
departing from foe spirit and scope of foe present invention. 

20 Based on foe received request and foe information associated therewith, 

^particularly based on foe cemtentm (or package m)m foe Ucense request 
infonnation, foe license server 24 can interrogate foe content-key database 20 (Fig. 1) 
andlocafoarecordc^^ 

basis of foe request As was discussed above, such record contains the decryption key 

12 and foe terms and conditions for each type of license 16. Alternatively, such record 

As mentioned above, multiple types of licenses 16 may be available. For 
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example, for a relatively small license fee, a license 16 allowing a limited number of 
renderings may be available. For a relatively greater license fee, a license 16 allowing 

unlimited renderings until an expiration oare may u* * =- 

fee, a license 16 allowing unlimited renderings without any expiration date may be 
5 available. Practically any type of license 16 having any kind of license terms may be 
devised and issued by the license server 24 without departing from the spirit and scope of 

the present invention. 

In 0^ embodiment of the present invention, the request for a license 16 is 

accomplished with the aid of a web page or the like as transmitted from the license server 

10 24 to the user's computing device 14. Preferably, such web page includes information ^ 

on all types of licenses 16 available from the license server 24 for the digital content 12 x 

that is the basis of the license 16 request 

In one embodiment of the present invention, prior to issuing a license 16, 
the license server 24 checks the version number of me black box 30 to determine whether 
15 such black box 30 is relatively current (steps 709, 711). As should be understood, the 
black box 30 is intended to be secure and protected from attacks from a user with 
nefarious purposes (i.e., to improperly render digital content 12 without a license 1 6, or 
^totmmrttnnme^^W However, it is to be recognized that no 
« * j-^- for* tntaiiv secure from such an attack. 



system 



20 



As should also be understood, if the blackbox 30 is relatively current, i.e., 
hasbeen obtamedw updated relatively rec^ 

has been successfully attacked by such a nefarious user. Preferably, and as a matter of 
trust, if the license server 24 receives a license request with request information 36 
including a black box 30 version number that is not relatively current, such license server 



J 


• 
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upgraded to a current version, as will be described below. Put simply, the license server 
24 will not trust such black box 30 unless such black box 30 is relatively current 

In the context ofthe.black.bex 30. ^fap^we^te^' 
'current' or 'relatively current' may have any appropriate meaning without departing 



PCT/US00/2JUI8 

WO 01/52021 

-34- 



from the spirit and scope of the present invention, consistent with the function of 
providing trust in the black box 30 based on the age or use thereof. For example, 
« *. — ,. Am* n *A MWftntina to ace (i.e., less than one month old). As an 

^ lill CUL &U«*J w«r "■■ — ■ w «■» 

alternative example, 'current' may be defined based on a number of times that the black 
5 box 30 has decrypted digital content 12 (le., less than 200 instances of decryption). 
Moreover, •current' may be based on policy as set by each license server 24, where one 
license server 24 may define 'current' differently from another license server 24, and a 
license server 24 may further define 'current* differently depending on the digital content 
12 for which a license 16 is requested, or depending on the type of license 16 requested, 

10 among other things. 

Assuming that the license server 24 is satisfied from the version number K 

of a black box 30 or other indicia thereof that such black box 30 is current, the license 

server 24 then proceeds to negotiate terms and conditions for the license 1 6 with the user 

(step 713). Alternatively, the license server 24 negotiates the license 16 with the user, 

15 then satisfies itself from the version number of the black box 30 that such black box 30 is 
current (Le.. performs step 713, then step 71 1). Of course, the amount of negotiation 
varies depending on the type of license 16 to be issued, and other factors. For example, 
if the license server 24 is merely issuing a paid-up unlimited use license 16, very little 
need be negotiated. On the other hand, if the license 16 is to be based on such itemsas 

20 varying values, sliding scales, break points, and other details, such items and details may 
need to be worked out between the license server 24 and the user before the license 1 6 
can be issued. 

As shouldbe understood, depending on the circumstances, the license 
negotiation may require that the user provide further information to the license server 24 
25 (for example, information on the user, the user's computing device 14, etc.). 

Importantly, the license negotiation may also require that the user and the license server 
24 determine a mutually acceptable payment instrument (a credit account, a debit 
account, a mailed check, etc.) and/or payment method (paid-up immediately, spread over 
a period of time, etc.), among other things. 
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Once all the terms of the license 16 have been negotiated and agreed to by 
both the license server 24 and user (step 715), a digital license 16 is generated by the 
liMnse server 24 (step 719), where such generated license 16 is based at least in part on 
the license request, the black box 30 public key (PU-BB), and the decryption key (KD) 
for the digital content 12 that is the basis of the request as obtained from the content-key 



database 20. hi one 



lent of the present invention, and as seen in Fig. 8, the 



10 



generated license 16 includes: 

- the content ID of the digital content 12 to which the license 16 applies; 

- a Digital Rights License (DRL) 48 (i.e., the rights description or actual 
terms and conditions of the license 1 6 written in a predetermined form 



15 
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decryption key (KD) (i.e., KD (DRL)); 

- the decryption key (KD) for the digital content 1 2 encrypted with the 
black box 30 public key (PU-BB) as receive in the license request 
(i.e.,(PU-BB (KD)); 

- a digital signature from the license server 24 (without any attached 
certificate) based on (KD (DRL)) and (PU-BB (KD)) and encrypted with 
the license server 24 private key (i.e., (S (PR-LS))); and 

- the certificate that the license server 24 obtained previously from the 
content server 22, such certificate indicating that the license server 24 has 
the authority from the content server 22 to issue the license 16 (i.e., 
(CERT (PU-LS) S (PR-CS))). 

As shouldbeunderstood, the aforementioned elements and perhaps others are packaged 
mtoamgitalffleorsomeomerappropriateform. As should also be understood, if the 
25 DRL 48 or (PU-BB (KD)) in the license 16 shouldbecome adulterated or otherwise 
modified, the digital signature (S (PR-LS)) in the license 16 will not match and therefore 
will not validate such license 16. For this reason, the DRL 48 need not necessarily be m 
an encrypted form (i.e., (KD(DRL)) as mentioned above), although such encrypted form 
may in some instances be desirable and therefore may be employed without departing 
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from the spirit and scope of die present invention. 

Once the digital license 16 has been prepared, such license 16 is then 
issued to the requestor (i.e., the DRM system 32 on the user's computing device 14) (step 
719 of Fig. 7). Preferably, the license 16 is transmitted over the same path through 

5 which the request therefor was made (le., the Internet or another network), although 
another path may be employed without departing from the spirit and scope of the present 
invention. Upon receipt, the requesting DRM system 32 preferably automatically places 
the received digital license 16 in the license store 38 (step 721). 

It is to be understood that a user's computing device 14 may on occasion 

10 nialfunction, and licenses 16 stored in the Ucense store 38 of the DRM system 32 on such 
user's computing device 14 may become irretrievably lost Accordingly, it is preferable v 
that the Ucense server 24 maintain a database 50 of issued licenses 16 (Fig. 1), and that 
such license server 24 provide a user with a copy or re-issue (hereinafter 're-issue') of an 
issued ucense 16 if the user is in fact entitled to such re-issue. In the aforementioned 

15 case where licenses 16 are irretrievably lost, it is also likely the case that state 

information stored in the state store 40 and corresponding to such licenses 1 6 is also lost 
Such lost state information should be taken into account when re-issuing a Ucense 1 6. 
For example, a fixed number of renderings Ucense 16 might legitimately be re-issued in a 
pro-rated form after a relatively short period of time, and not re-issued at all after a 

20 relatively longer period of time. 

DRM S YSTEM 32 - In« »«ilattftii/Ppfirflde of Black Box 30 

As- was discussed above, asrrartofthtffhnction^ a Ucense 16, 

the Ucense server 24 may deny a request for a Ucense 1 6 from a user if the user's 
computing device 1 4 has a DRM system 32 with a black box 30 that is not relatively 
25 cunenti.e.,h^arelativelyoldversionnumber. m such case, it is preferable that the 
black box 30 of such DRM system 32 be upgraded so that the Ucense acquisition 
function can then proceed. Of course, me black box 30 may be upgraded at other times 
without departing from the spirit and scope of the present invention. 
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Preferably, as part of the process of installing the DRM system 32 on a 
user's computing device 14, a non-unique 'lite' version of a black box 30 is provided 
o„.v Wort W 10 is then imeraded to a unique regular version prior to rendering a 

UUVU " • — 

piece of digital content 12. As should be understood, if each black box 30 in each DRM 
5 system 32 is unique, a security breach into one black box 30 cannot easily be repUcated 

with any other black box 30. 

Referring now to Fig. 9, the DRM system 32 obtains the unique black box 

30 by requesting same from a black box server 26 or the like (as was discussed above 
and as shown in Fig. 1) (step 901). Typically, such request is made by way of die 
10 Internet, although other means of access may be employed without departing from the 
spirit and scope of the present invention. For example, the connection to a black box 
server 26 may be a direct connection, either locally or remotely. An upgrade from one 
unique non-lite black box 30 to another unique non-lite black box 30 may also be 
requested by the DRM system 32 at any time, such as for example a time when a license 
15 server 24 deems the black box 30 not current, as was discussed above. 

Thereafter, the black box server 26 generates a new unique black box 30 
(step 903). As seen in Fig. 3, each new black box 30 is provided with a version number 
and a certificate with a digital signature from a certifying authority. As was discussed 
above in connection with the license acquisition function, the version number of the 
20 blackbox30mmc^merelativeage^ The certificate with the digital 

signature from the certifying authority, also discussed above in connection with the 
license acquisition function, is a proffer or vouching mechanism from the certifying 
authority mat a license server 24 should trust the black box 3 0. Of course, the license 
server 24 must trust the certifying authority to issue such a certificate for a black box 30 
25 that is in fact trustworthy. It may be the case, in fact, that the license server 24 does not 
trust a particular certifying authority, and refuses to honor any certificate issued by such 
certifying authority. Trust may not occur, for example, if a particular certifying authority 
is found to be engaging in apattem of improperly issuing certificates. 

Preferably, and as was discussed above, the black box server 26 includes a 
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new unique public / private key pair (PU-BB, PR-BB) with the newly generated unique 
.... ,„ « M o\ Dr^ferablv. the orivate key for the black box 30 (PR- 
BB) is accessible only to sud. btock to 30, sad is hidden ftom and inaccessible by the 
^Minder of the world, including the computing device 14 having the DRM system 32 
5 with inch black box 30, and the user theieot 

Most any hiding scheme may be employed without departing ftom the 
spirit ami .cope of the present invadfon, so long as such hiding schme to ftct petfcrma 
tofbncSonoftodfagto.privtoek^^BJfitnnm.worid. As bto on. example, the 
private key (PR-BB) may be sp!H toto several sulwomtw^ 

private key (PR-BB). . 

la one embodiment of toe piesent invention, such private key (PR-BB) is 

e^ypted aocordtog to codo*ased enoyption techniques. In ptrticular, to such 
employedsseuaypfmgketfs). Accomingly.ifdtecodeofmehtockboxSOtorme 

with neferious purposes, such print, key (PR-BB) cannot be decrypted 

AKto,^ ach new black box 30 is delivered with a i«w public / private 

20 key pair (PU-BB, PR-BB), suchttewblsekt** 30 is also preferebly given access to old 
public / private lay pairs ftom old black boxes 30 previously delivered to the DRM 
system 32 on the usrfs computing device 14 (step 905). Acccrimgly, the upgraded 
blackbox 30 cm still employ the oldlreypriis to access older digital coute«12and 
d* ^responding liceuse. M genemted aceomtog to such old * prim, as 

2-5 will be discussed in more detail below. 



J 
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26 is tightly tied to or associated with the turfs computing devic.14. Accorfmgl: 
upgreded btock box 30 oaonot he operably transferred among multiple computmg 
devices 14 tor neferious ptuposes or otherwise. In one embodinrent of the present 
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invention, as part of the request for the black box 30 (step 901) the DRM system 32 
provides hardware information unique to such DRM system 32 and/or unique to the 

. - . « < a - t.i~~u w c~rv*r 9A and the black box server 26 
user's computing aevicc it iu — 

g e D erat«ablackbox30totteDRM8^32tasrfmpa I toasuchptovid«i 

^^mtheDRMsystemlZontoosa-scon^toic. 14 (steps 907, 909). If 

fte upgraded buck box 30 i. to soo»oow «° «*■ <OT » oti,>8 

the transferred black box 30 recognizes that it i* not intended for such other computing 

devicel4,andd<>«anot allow en, m,u«ted undoing to proosedon suchoth* 

10 computmg device 14. vrio vf 

Once die new black box 30 is installed in the DKM system 32, such DRM 
system 32 cen proceed with . fie* acquisition taction or wim any oth* function. 

DKM evSTPM 32 - Con'"" Hindering, Part 3 

i„ me manner sough. 0* is .nabBng), * "cense evaluate 36 then sefects on. of such 
ta»WI»M«-<*M» Sp«n«lly,mr«n< ta m«r« 1 aesUddigiUl M n te n. 
12 t heficen ! e CT ah^36andm.bl^box30mcon^»ob*<nedeorypton 

20 ^^ftm^fio^l^^^^ 30 ^^^ 0 " 1 ""^ 
todeoyptthedigMc^a lnon.«mbodmt««ofmepr« S «mmvenfi M ,se» a s™ 

d^^med^on^^aeob^nrmrmeficenseldiecn^ 
^,hth.bto4box30pnbfio^(PU-BB(KD)),andmebl3Ckbox30d^»neh 

^d^^wimi-priv^key^-BBJ^p^med^key 
25 (KD) (steps 521, 523). However, othermeumds of obtaining m. decide* IreyfKD) 
{OT me digital oomen, 12 nmy be employ- witiou. de^rung fan me spirit end seep. 

of the present invention. 

_ tVisss. hi** box 30 has the decryption key (KD) for the digital content 
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12 andpermission from the license evaluator 36 to render the digital content 12, control 
may be returned to the rendering application 34 (steps 525, 527). In one embodiment of 

. . „ *u_ ^nn^rinn 34 then calls the DRM system 32 / black 

the preseai mvcuuuu, «iv o -rr 

box 30 and directs at least a portion of the encrypted digital content 12 to the black box 
30 for decryption according to the decryption key (KD) (step 529). Theblackbox30 
decrypts the digital content 12 based upon the decryption key (KD) for the digital content 
12 aBdfcentheblackboxSOret^ 

apphcation 34 for actual rendering (steps 533, 535). The rendering application 34 may 
either send a portion of the encrypted digital content 12 or the entire digital content 12 to 
the blackbox 30 for decryption based on the decryptionkey (KD) for such digital ^ 
content 12 without departing from the spirit and scope of the present invention. 

Preferably, when the rendering application 34 sends digital content 12 to 
the blackbox 30 for decryption, theblackbox 30 and/or the DRM system 32 
authenticates such rendering apphcation 34 to ensure that it is in feet the same rendenng 
apphcation 34 that initially requested the DRM system 32 to run (step 531). Otherwise, 
the potential exists that rendering approval n«y be obtained improperly by basmg the 
rendering request on one type of rendering apphcation 34 and in fact rendering wxth 
another type ofrendermg apphcation 34. Assuming the authentication* success*! and 
the digital content 12 is decrypted by the black box 30, the rendering 
20 tai^todeery^dl|iltlofliilMtl2(ilqpi533,53^ 
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Sequence «f Ke y Transactions 

Referring now to 

sapenc, of key Wo»ctions » V***** *> * e decryption key (KD) and 



evaluate , license 16 for . requested piece of digital content 12 (U, to perform steps 
25 M5-523 of Figs. 5A and 5B). Manly, in such setp^co, the DRM system 32 obtnms the 
decryption key (KD) from the lice* 16, 0*3 mfbnnsta obtained from teta. M 
^ «,„ digital content 12 to aumeuticat. or ensure the validity of both, snd the. 
ee^^ttanc^WmWp^merigttto^todieMcc^ 
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12 in the manner sought Ifso, the digital content 12 may be rendered. 



Bearing in mind that each license 1 6 for the digital content 12, as seen m 



Fig. 8, inciuaes; 

. the content ID of the digital content 12 to which the license 16 apphes; 
5 . the Digital Rights License (DRL) 48, perhaps encrypted with the 

decryption key (KD) (i.e., KD (DRL)); 

- the decryptionkey (KD) for the digital content 12 encrypted withthe 

blackbox 30publickey (PU-BB) (i.e.,(PU-BB (KD)); 

.the digital signature from the license server 24 based on (KD (DRL)) 

(i.e. f (S (PR-LS))); and 

. the certificate that the license server 24 obtained previously from the 
content server 22 (i.e., (CERT (PU-LS) S (PR-CS))), 

15 Fig. 3, includes: 

. the content© of such digital content 12; 
. the digital content 12 encrypted by KD (Le., (KD(CONTENT))); 
. a license acquisition script that is not encrypted; and 
.fcekeyKDencryptingmecontent server 22 public key (PU-CS), signed 

CS))), . e 



20 



25 



12 is as follows: 

1. 



L B asedon(PU.BB(KD))fromtheticensel6,theblackbox30of 
the DRM system 32 on the user's computing device 14 applies its private key (PR-BB) 

^rsir 

„ A Uf . nroceed to employ KD to decrypt the digital content 12 witnoui 
black box 30 could then proceed to empioy 

a oi^ irrmortantlv the license server 24 trusts the oiacx 
any further ado. However, and also importantly, 
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box 30 not to do so. Such trust was established at the time such license server 24 issued 
the license 16 based on the certificate from the certifying authority vouching for the 

t. ... io k ~~~~Utict1v d*cnitft the black box 30 obtaining 

trustworthiness oi sucn oiac* uua ^ — > — «--- 

the decryption key (KD) as an initial step rather than a final step, the DRM system 32 
5 continues to perform all license 16 validation and evaluation functions, as described 

below. 

2. Based on (KD (PU-CS) S (PR-CS)) from the digital content 12, 
the black box 30 applies the newly obtained decryption key (KD) to obtain (PU-CS) 
(stepl003). (KD(KD(PU-CS))-(PU-CS)). Additionally, the black box 30 can apply 
10 (PU-CS) as against the signature (S (PR-CS)) to satisfy itself that such signature and ^ 
— d^c^U/p^l*^^ 101 * ^tvaUd,theprocessis 
halted and access to the digital content 12 is denied. 

3 Based on (CERT (PU-LS) S (PR-CS)) from the license 16, the 
black box 30 applies the newly obtained content server 22 public key (PU-CS) to satisfy 
itself that the certificate is valid (step 1007), signifying that the license server 24 that 
issued the license 1 6 had the authority from the content server 22 to do so, and then 
^.to*^*^*^*™*****"* If not vahd, toe process 
is halted and access to the digital content 12 based on toe ticense 16 U denied. 

4 Based on (S (PR-LS)) from the Ucense 16, the black box 30 

20 ^ M ^^™»V^*^*^™*** % 
Ucense 16 is valid (step 1011). If not valid, the process is halted and access to the digital 

. contenmtasedontheUi^Wfedenied. 

5 AsstmnngaMMm steps wsuccessM,andthattheDRL4e 

fiom the Ucense 16 to obtam the license terns fi^m the Uceose 16 ^theDRL 48) 
( ^,013).Ofc« W ifth.DSL48to6»lic^l6i.n*in^ a «^wM.the 

de^uon^^sWplOUn^b.c-^Thelicens evdtatnr 36 then evnlnaes 

/mtenogatestneDM^Sandc&einiineswhethafo 
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12 in the manner sought (i.e., wneiner uic 

U 4 nmcess is halted and access to 

evaluator 36 determines that sucn ngni au« — 
the distal content 12 based on me Uceme 16 is denied. 

6. Ho*.^.^**^ 16 ^"'^ 



deteimination that the user's computing device — 
terms to render the corresponding digital content 1 2 in the 



ier sought, the license 
terms to rcnuci ui6w«v- r -—« ~ , 

... vi „u w in that such black box 30 can render the 
evaluator 36 informs the black box 30 that sucn o 

4Mt.i content 12 according to the decryption key (KD). The black box 
corresponding digital content u accoruiB* 

. L . ^ ftnV «/fKD^ to decrypt the digital content urrominc 

30 thereafter applies the decryption key (KD) to o^yp 

„ .linrie (KD(KD(CONTENT)) ■ (CONTENT)) (step 1017). 

ping-ponging ensures that the chgi ^gital ^ 12 and 

the validation and evaluation process can only occur u com » 

♦ ■ ««*rrv issued and valid form In addition, smce the same 
license 16 are present in a properly issueo ana from the 

* — fmm the content server zz an« ™ " w 

server 24, respecuv ry ^ ^ dfficult if not impossible to alter 

content 12 by bypassing the license server 24, ana ais 



25 



anammdeoyptfbsdiptolcoiitait vacation, and 

• ^am^tedbythepiv^teyofteliceDSeservetieCPR- 
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pn * ■ — — + *n+itv tn issue 

issue licenses 16 ifsuchUcense server 24 Has airaagcu^^ 



licenses 16. 

lent: 





* 


ItTlH 


mi 





10 



raxtity; 

^ sav« 24 «^ with the yriv-e »ot toy (PR*) 
(CERT ffU-W) S (PR-R)* >Bd 

- -jm toe root entity (CERT <FU- 



certificate 



LS) S (PR-R))- 



15 



system 18*. 



FM .D R Msy«<ml8 to ^da«e S «=hi SS u«d fi « OS .16,*«.'be D R M 

, app H«4.^Uc I o.tk« y (PU.R)»ft.^« rti£ » tt ^ T 
(PU-LS) S (PR-R)) to obtan toe Eceose server jobEc ke, (PUIS)'. 



and 



ignature 



20 



4* * X * 

ofthe license 16 (S(PR-LS)- 
taportantly, it should be recognized that just 



fie certificate (CERl (rv 

r .mm* 7A oennission to issue license w «j i » 

license server 24 24 sechliceme sen* 24 ceo provide estaite 

t o\ c (m.VLW to such license server i% sucn uw»» 

LS) S (PRR))tosuc fCERT (PU-LS2) S (PR-LSl))t thereby 

*- a second license server 24 (i.e., (uau ' 
certificate to a second ucens ^ rM , sesl6 As should now be evident, a 

allowing the second license server to also issue hcensesl6. Ass* 

.a bv the second Ucenseserv^^^ 

^ccERKPU^S (PR.LSI)). Lfcewise, 
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certificates. Of course, additional links in the chain may be added and traversed. 

One advantage of the aforementioned signature verification process is that 

,w« the orivate root key (PR-R), thereby likewise 

the root enuiy m*y — j »- - - c > 

.num. **M.m t n*-«*"^'*'-«** m - mll *~ 



required 



server may oe requu*u « -re- 

Bc^s^hasbe^tsuceessfcllysaacW. Aeco rftagl y,..ao M ««rof«ru*eaob 

the present invention. 

Of cm* if to (*» m toy (FR-R) h *angrf, too the pobbe root 
toffU^meacbDRMsy^lem^beotonged. Sueb ctaog. may fcr 

ofaDRMsysfcn... fc^-*-^-^^"™ 
state slots 40 of the DRM system 18. 

25 n toital Mutts LteeBge4 > 

totop^seot mveottoo, the Uceose evaluate 36 evaluates a ** 

B^U—W .« - «"**"«— ofabceoae 16 1.^ * 

^ DRL 48* W sr^ofaco ro spoodmgpi«o.ofdi^eoo«12m tt ,e 
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sought In one embodiment of the present invention, the DRL 48 may be written 
by a licensor (i.e., the content owner) in any DRL language. 

As should be understood, mere are a muiuiuu* ^ - -r — * 

48 Accordingly, a mghdeg^ 
5 However, it is impractic^ 

language, audit is highly unlikely mat the author of such alanguage can appreciate all 
possible hcensing aspects that a particular mgitalUc^ may desire. Moreover,* 
highly sophisticated license language may be unnecessary and even a hindrance for a 
UconsorprovidingarelativelysimpleDRL48. Nevertheless, a licensor should not be 
unne^s^yrestricte4inhowtospecifyaDRL48. At the same time, the Ucense 
evaluator 36 should always be able to get answers from a DRL 48 regarding a number of 

specific license questions* 

In to present mvention, and referring now to Fig. 11, a DRL 48 can be 

spicifled in any lioense language, bwindudes a language identifier or tag 54. Tie 

15 Bc ^ .valuator 36 ercluattagti^u^^ 

reviewing fire tonguage tag 54 to idafify snch 1W* *" m 
Uc^langoag«engine52toa^tt»Uc«n S .l«msuehid^edUng»»g. As 

«b.-l^ — >W-«»" B,— * ,, ~ ,,,,d " — *" 
to license evduator 36. Ifnotp.esent,fl»tag»^ta g 54and/ortoDI!L48 

engine 52. 

Typically, the language engine 52 is in the form of an executable fileor 
rt of fib. that redd, in a memory of the user's computing device 14, such ss a hard 
*h* T te l^«.^52a S sis B a*fi«n»evduato I 36todl«*in te rroga«(he 

en ™48actingas.»m«n«fis*orm.lik.. When executed, to lan^e engrn. 52 
runs m a work space m a memory of to us*, computing device * ^ *^ 

[language 



1 1 • j i ■ i ^-*R& warn * & r- % am ■ i ' I ^ f 



from the spirit and scope of the present invention. 
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Preferably, any language engme 52 and any DRL language supports at 
f cnecific Uccnse qU estions that the Ucense evaluator 36 expects to be 
leastanumberofspecificli Accordingl y, the Ucense evaluator 

answered by any DRL 4», as wmu. - _ . _ 

3 6 isnottie4toanyparucdarDRLlanguage;aDRL48n.ybewn tt en 1 nany 

appropriate DRL language, hv tavin8 ^h Ucense evaluator 36 obtam 

ployed by an existing Ucense evaluator 36 by havmg sucn 

a corresponding new language engine 52. 




^Two examples of DRL languages, as embodied in respective DRLs 48, 
- - . , ^ w D RL 48 is written in a DRL language that 
m are orovided below. The first, simple «♦* 

10 are pw> luw __ T , « - g ymtten m a DRL 

. « ,• « oMrihntes while the second 'script DRL 48 is written 

^ , to fogmste Mf - *■ *** * SCn, *' m 

15 Simple DRL 48: 

<LICENSE> 

<DATA?» 

<NAME>Beastie Boys Play</NAME> 

<ID>39384</n» 

^ESCRlPTIO^Play *e song 3 times</DESCRIFnO*> 

« 

<TERMSX/TERMS> 

<vALrorrY> 

<HOTAFTEK>19980102 23:20:14Z</NOT AFTER? 
</VALH>IH> 

< BS UEDDAT^19W1<B23:2O:14Z<ASSUE0DATE> 
^CENSORSn^^/ww^com^CENSORST^ 



20 



25 
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<CONTENI> 

<NAME>Beastie Boy's</NAME> 

«rm>392</ID> 

<KEYID>39292</KEYID> 

<TYPE>MS Encrypted ASF 2.<X/TTYPE> 

</CONTENT> 

<OWNER> 

<DD>939KDKD393KD</ID> 

<NAME>Umvcrsal</NAME> 
<PUBUCKEYX^UBLICKEY> 

</OWNER> 

<LICENSEE> 

<NAME>Amold</NAME> 

<ID>939KDKD393KD<yiD> 
<PUBUCKEYXPUBUCKEY> 

</LICENSEE> 

<PRINCIPAL TYPE-'AND'> 

<PRINCIPAL TYPE-OR> 

<PRINC1PAL> 

<TYPE>x86Computer</TYPE> 

<ID>3939292939d9e939</ID> 

<NAME>Personal Computer</NAME> 

<AUTHTY?E^ffiter Authenticated Boot PC 

1 DSA512</AUTHTYPE> 
<AUTHDATA>29293939</AUraDATA> 

</PRINCIPAL> 

<PRJNCIPAL> 

<rrYPE>Application<^TYPE> 

<ID>2939495939292</ID> 
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<NAME>Window's Media PlayeK/NAME> 
<AUTHTYPE>Authenticode SHA- 

i<Airrnri?E> 

<AUTHDATA>93939</AUTHDATA> 

</PRINCIPAJ> 
</PRTNCIPAI> 

<PRTNCIPAL> 

<rYPE>Pcrson</TYPE> 

<ID>39299482010</ID> 

c 

<NAME>Amold Blinn</NAME> 
<AUTHTYPE>Authenticatc uscr</AUTHTYPE> 
<AUTHD AT A>\\redmond\amoldb</ AUTHD AT A> 

</PPJNCTPAL> 
</PRTNCrPAL> 

<DRLTYPE>Simple</DRLTYPE> [the language tag 54] 

<DRLDATA> 

<START>19980102 23:20:14Z</START> 

<END>19980102 23:20:14Z</END> 

<C0UNr>3</C0UNT> 

<ACnON>PLAY</ACTION> 

</DRLDATA> 

<ENABLTNGBrrS> a aaabbbbcxccdddd<^NABLINGBrrS> 

</DATA> 
<SIGNATURE> 

<SIGNERNAME>Universal</SIGNERNAME> 

<SIGNERID>9382ABK3939DKI)</SIGNERID> 
<HASHALG0RIIHMID>MD5</HASHALG0WTHMID> 

<SIGKALGOPJTHMID>RSA 128</SIGNALGORTTHMTD> 

<SiGNATURE>x X xyyyxxxyyyx X xy W 
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<SIGNERPUBLICKEYx/SIGNERPUBLICKEY> 
<CONTENTSIG^^SIG^lERPXJBUCKEY></CONTENTSIGNEDSIG 



</SIGNATUKB> 
5 </LICENSE> 

Script DHL 48: 

<LICENSE> 

<DATA> 

<^AME>Beastie Boy's Play</NAME> 

t 

.„ <n»39384</ID> 

<,ESCWraON>Pl»y to soag „^</DESCRirTION> 

<TERMSX/TERMS> 

<VALH>1TY> 

<NOTBEFORE>19980102 23:20:14Z«NOTBEFORE> 

<NOTAFTER>19980102 23:20:14Z</NOTAFTEfc> 
</VALIDITY> 

<ISSUEDDATE>19980102 23:20:14Z<^SSUEDDATE> 
<LICENSO^n^http^/wwwioo.com<^ICENSORSITE> 

<CONTENT> 

<NAMB>Beastie Boys</NAME 

<ID>392</ID> 
<&EYID*3929Z</KEYID2 
<XYPE>MS Encrypted ASF 2.0<nTYPE> 

</CONTENT> 

25 <OWNER> 

<ID>939KDKD393KD</ID> 

<NAME>Universal</NAME> 
<PUBLICKEYX/PUBLICKEY> 



15 
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</OWNER> 
<LICENSEE> 

^i^XVlTi-l-^ * 

<©>939KDKD393KD</ID> 
<PUBLICKEYX/PUBLICKEY> 

</LICENSEE> 

<DRLTYPE>Script</DRLTYPE> [the language tag 54] 

<DRLDATA> 

function on_enable(action, args) as boolean 

result = False 
if action ■ "PLAY" then 
result = True 

end if 

on_action - False 
end function 

• • • 

</DRLDATA> 

</DATA> 

<SIGNATURE> 

<SIGNERNAME>Universal</SIC3NERNAME> 

<SIGNERID>9382</SIQNER1D> 
<SIC5NFJU>UBUCKEY></SIGNERPUBLICKEY> 

<SIGNID>RSA 128</SIGNE» 

<SiGNATUSF>Kayyyxxxyyyxxxyyy 

<CONTENTSIC5rM)SIGNERPIJBUCKEY^ 

NERPUBUCKEY> 
</SIGNATURE> 
</LICENSE> 
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In the two DRLs 48 specified above, the attributes listed have the 



. . i i~*i~mt, on/1 /lota tvnfts: 



Attrttrate 



Id 



Name 



Content Id 



Content Key Id 



Content Name 



Content Type 



Owner Id 



Owner Name 



Owner Public Key 



Description 



Data Type 



ID of the license 



GUID 



Name of the license 



String 



ID of the content 



GUID 



ID for the encryption key of the content GUID 



Name of the content 



String 



Type of the content 



ID of the owner of the content 



String 



GUID 



Name of the owner of the content | String 

Public key for owner of content This | String 
is a base-64 encoded public key for the 
owner of the content 



Licensee Id 



Id of the person getting license. It may |GUID 
bemut 
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Licensee Name 



Licensee Public Key 



Description 



Terms 



Name of the person getting license. It String 
may be null. 

Public key of the licensee. This is the I String 
base-64 encoded public key of the 
licensee. It may be null. 

Simple human readable description of String 



the license 

Legal terms of the license. This may 
be a pointer to a web page containing 
legal prose. 



String 



Validity period of license expiration 



Validity Not After 



Validity Not Before 



Issued Date 



DRLType 



DHL Data 



Enabling Bits 



Validity period of license start 



Date the license was issued 



Date 



Date 



Date 



TypeoftheDRL. Example include I String 
"SIMPLE" or "SCRIPT" 



Data specific to the DRL 

These are the bits that enable access to 
the actttat content The mterpretatidn 
of these bits is up to the apphcation, but 



String 



String 
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typicaUy this will be the private Key ic7 
decryption of the content This data 
„~n um w*-64 encoded Note that 
these bits are encrypted using the 
public key of the individual machine. 



Signer Id 



Signer Name 



Signer Public Key 



ID of person signing license 



Name of person signing license 



GUID 



String 



Public key for person signing license. 1 String 
This is the base-64 encode public key 
for the signer. 



Content Signed Signer Public | Public key for person signing the 

license that has been signed by the 



String 



Key 



Signature Alg Id 



Signature 



content server private key. The public 
key to verify this signature will be 
encrypted in the content This is base- 
64 encoded. 

Algorithm used to generate hash. This j String 
is a string, such as "MD5". 

Algorithm used to generate signature. | String 
This is a string, such as "RSA 128' 

Signature ofTCedata. This is bas*64 ^String 
encoded data. 
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Methods 

. xi x «w. it » nreferable that any language engine 52 and 



WOO UlOVUdOW ***"-' ' —J 



any DRL language support at least a number of specific license questions that the digital 
license evaluator 36 expects to be answered by any DRL 48. Recognizing such 
supported questions may include any questions without departing from the spmt and 
scopeofthepresentinvention, and 

DRL 48 examples above, in one embodiment of the present invention, such supported 
questions or 'methods' include 'access methods' , «DRL methods' , and 'enabling use 
methods', as follows: 



10 Access Methods 

Access methods are used to query a DRL 48 for top-level attributes. 



VARIANT QueryAttribute (BSTRkey) 

Valid keys include License.Name, Licensed ContentName, Contentld, ContentType, 
Owner Name, Owner Id, Owner PublicKey, Licensee.Name, licensee^ 

15 Licensee-PubhcKey,!^^ 

Validity.Start and Validity.End, each returning a Date Variant. 

DRL Methods 

The unplementation of the following DRL methods varies from DRL 48 
to DRL 48. Many of the DRL memods contain a variant parameter labeled 'data' which 
20 ismtendedforc^mmumcatingmoreadv^ 
largely for future expandability. 



Boolean IsActivatedCV ariant data) 
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Boolean IsSunk(BSTR action, Variant data) 

jto^i^ito*^**^***' A license 16 that is paid 
for up frontwouldretumTRUE, whileaUcense 16 that is not paid forup front, snch as a 
license 16 that collects payments as it is used, would return FALSE. 



5 Enabling Use Methods. 

These methods are employed to enable a license 1 6 for use in decrypting 

content 



Boolean Validate (BSTR key) 

Tte Claused to vaBdate. liceea.lt>. •n.passed-inkeyisth.bhckb.xSO 

p*Uckey(PU.BB)e^^bytad«^o»^(m)fct4.o»™ S p»to8^ 
COT Wl20.e.XHXro-BB)))6.-»to ? ^ofto«gP^oftelK« n »l«.A 

„»„ value .fM Wieat« ** *° *— 16 * A ttnm ^ ° fFA1SE 
indicates invalid. 



10 



intOpenLicense 16(BSTR action, BSTR key, Variant data) 

key is (KD(PU-BB)) as described above. A return value of 0 indicates success. Other 
return values can be defined. 

BSTR GetDecryptedEnablingBits (BSTR action, Variant data) 

Variant GetDecrypted^lmgBitsAsBinary (BSTR action, Variant Data) 



20 



Th^emethoaa^usedte^ceatheen.b^bitskd^fe™. MUM 
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successful for any of a number of reasons, a null string or null variant is returned. 



• 4 T ! /T5CTD am+i/%«« \T*%*m0*9\t A*%+**\ 

VU1U ^iUSClrfU/GUOW ^U1A\ uvuwu) f wiwm ~y 



This method is used to unlock access to the enabling bits for performing the passed-in 
action. If this is not successful for any of a number of reasons, a null string is returned. 



5 Heuristics 

As was discussed above, if multiple licenses 16 are present for the same 
piece of digital content 12, one of the licenses 16 must be chosen for further use. Using 
the above methods, the Mowing heuristics could be implemented to make such choice. K 
In particular, to perform an action (say "PLAY") on a piece of digital content 12, the 
10 following steps could be performed: 

1. Get all licenses 16 that apply to the particular piece of digital 
content 12. 

2. Eliminate each license 16 that does not enable the action by 
calling the IsEnabled function on such license 16. 

15 3. Eliminate each license 16 that is not active by calling Motivated 

on such license 16. 

4. Eliminate each license 16 that is not paid for up front by calling 
IsSunk on such license 16. 

5. If any license 16 is left, use it Use an unlimited-number-of-plays 
2 0 license 16 before using a limited-number-of-plays Ucense 16, especially if 

the unlimited-number-of-plays license 16 has an expiration date. At any 
time, the user should be allowed to select a specific license 16 that has 
already been acquired, even if the choice is not cost-effective. 
A(xordingly,.the user <mselecta,licensft,16basedon criteria.thatare 
25 perhaps not apparent to the DRM system 32. 
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based on to digit* content 12, but likely includes on. ot more audio output devices (. 
sound card, eg.), one or more video output devices (. video end, e.g.), or tie hke. 

,. s te recpirrf that the rendering application 34 itself may have 

respects of ."path such alto path 58. InpartMar, and depending upon the 
5 p ^r«nd«™g W Ucnti.n34.^^»Mm W b.m^^mU» f o m 

- .^.^e^ fc ^ - ^ , "** 1^ * ,, "'' , " ,, *• Therefom... 
Mattta «bedfficnU to d^«l»th.r^ W lic«to24«nd.^w^*« 

pat h58b*ins. *^ b ^^^^t2lLb. 
o^wh^tor^app^*^^'-* 58begms cm.be 

*^,«.,— ^ M -"tr; 

« aportioo of dm p* 58. if no. dm entire* tomof, «d to path 58 can mclude ar 
lea5t a portion of to rending «M- H if no< to entirety thereof, without 
departing fen, to spirit and scope of to pmsent invention. 

Thus, the blade box 30 and/orto DRM system 32 also preferably 

h- „ fc «^» Otorniactopotouale^toroneormod^^ 
rpathlbeemp.yedby.n^ousen^mt^ton^^U 
aa Jna^digKmcon^meavestorenderingsppEo^onJ^ «to^h 

u „ .^i.successful.todigMeontemU.n^^^ 
20 anthenncahon is successful, mems 

box so and forwarded to to rendering application 34 for fcrtor forwmmig 

path 58 to to ultimate destination 60. 

AsU mheundemtod.»da>*o™toHgl3.top«h58 W .cally 

indBta ,n«rmodep M rio»58n m d. t «n.elp M tion58 t 

c • i-H, mnr *. snecific to the user and the rendering application 34. 
14, and includes functionality more specific to mens 

v i^rtinn 58k encompasses modules 62 thatreside in akernel 

Correspon^y,^ 



includes 



P0Itl0n «. of the user's computing device 14. Asseen,eachportion58u,58k 

the core operations of the user s compuuu 5 
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may include branches, junctions, loops, and the like. 

In one embodiment of the present invention, and referring now to Fig. 14, 
the DRM system 32 directs the rendering application 14 to output naked digital content 
12 in a scrambled form such that the scrambled digital content 12 enters the user mode 

5 portion 58u of the path 58 (step 1401). Such scrambled digital content 12 is then acted 
upon and/or variously manipulated by the various modules 62 that define the user mode 
portion 58u of the path 58, and the resulting scrambled manipulated digital content 12 
transits from the user mode portion 58u to the kernel portion 58k of the path 58 (step 
1403). Importantly, the DRM system 32 also directs that upon leaving the user mode 

10 portion 58u / entering the kernel portion 58k, the scrambled manipulated digital content 
12 is de-scrambled by an appropriate de-scrambling module 62, preferably in the kernel v 

portion 58k of the path 58 (step 1405). 

As may be appreciated, such scrambling and de-scrambling can take any 
appropriate form without departing from the spirit and scope of the present invention. Of 
15 course the scrambling and de-scrambling elements must agree beforehand on the form 
and all necessary protocols. For example, appropriate encryption and decryption 
techniques may be employed based on a symmetric or asymmetric key. As may also be 
appreciated, by presenting scrambled digital content 1 2 to each module 62 in the user 
mode portion 58u of the path 58, each such module 62 is essentially prevented from 
20 performing any operations on such scrambled digital content 12. Thus, the user mode 
portion 58u of the path 58 is essentially omitted or 'tunneled', whereby none of the 
modules 62 in such user mode portion 5 8u is allowed to manipulate the digital content 1 2 
as it passes through such portion 58u of the path 58.. Nevertheless, such tunneling is not 
considered to be especially problematic in that the kernel portion 58k of the path 58 
25 typically replicates most of the functions performed in the user mode portion 58u. 

In such embodiment, the digital content 12 is de-scrambled (Le., again 
naked) in the kernel portion 58k of the path because each module in such kernel portion 
58k that is in intact with/ can manipulate / can 'touch' the naked digital content 12 has 
already authenticated itself to the DRM system 32. Specifically, prior to releasing the 
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performs a traversal oi mc *cu«i yv*uv- ^ 

^^^tAStmtmtmlkmmt^mMia. b, recognizmg 

to, the kernel portioa Wk of the user's computing device 14 comprte u^y -tia 
ft( ^,fe-.f«hieh^i«fi».th.k«<n.lp«tie»5 8 k.fth.p*58. a .eDRM 

^t-fil^dotBtdetotaptdhSS^the^^eMMttouchtheMkeddip 



content 12. 



10 



embodiment 



^ e fflh.ft«k«mdpo«io B 5ekof t hep^ a nda« t h«afie»^ S »«h^»o*l' 6J 
Csttp 1 501), detennining .01 P«»ble de^oo modules 62 ttot «celve data fiom sade 

uuwomam » -* < l0S,ible tedra,ion modole 62 ^ 

^.micaing ** dating module 62 M 1505), daennining all possible 
de ^o«B»*te62u^^^»«^««^ , ^ a(,l, » 1507) ' 

^.andit^tepe*^^^^ 0 ^^^ 5 *^ 
,*»i*«.*.*^e*«* 1 - - * ,l, ' , " ,5,,t,,,,ta " 
Seated M 1509). Ofcout* ddssmuung all P-* **— ta "* 

nay eveo include en explicit destination list 

to one enibodunentoftiie present invention, die DRM system 32 



executable file 



• Kill 



RAM 



25 



ana are uibuw; 

Ih,DRMsy^32d»ta ttS the«xecn«shl«file,fis>dsdw«n. 
ri ^^ch«kss n c i si«n a ti™ to «^d.c«ecu^..fil.was m »tsn,e n d, 

an.ong.d.erdnnp. T».«IC»fc-»«-I— *--**«■*"— 
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memory docs not materially differ fiom the executable file to ensure that the module 62 
as presides in dyntanicmeinoty was oot tampered with, among other things. In 

„ find aU destination modules 62 amvedatftom such module62. As may be 
5 appr^auchd^onmoataWtn^^ 

relatively simply by looking 6r csli or fi» like. 

The aforementioned initial module 62 should be the first module that sees 

to naked digM content 12 in the kernel portion 14k. and tola likely to be the 
^.utioned dealing module 62. S,w*,o*«»°M«aw**»to« 

ntitirn module 62, agtnn without deputing torn the spirit and scope of the pr«*nt 

fcvention. Umm , l +UMm****"to*—* t - m ** 1 " 
M to fully discovaing * other module. 62 that define the kemdptmion 58k of the 

15 path58. J . . 

The DRMsystm 32 niayen^toy an appropriate database device to keep 

^ of ^n^«62d«« t nn»rf to bemm.l [a »lporS«.58kofm.pA58, a Jl 

mo dul«62»th.utic««d,.tc. Acoorimgly.^DRMsyston 32 can for example 
rec^when.^msnchpamSgh^b^enco^sndcanavoid^dleasre- 

20 aumenucuu«..fe^n>odul«62mme.oop. 1* pricuta s^ of determuun, 
,nd ^tonfiennng module. 62 nuy vary without dqKtrnng from fite spirit^ scope. f 
topr^inveaion. F««^le.n^«62n^b««nhentic^ E d,«rmi M dm 

ton^s<»8^^*'^ ffl ^ < * ,e ^^ ,0d,te, " 
anfintioted, or a combination thereof. 

In one embodiment of the present invention, each path module62 
^c^i^hypn^t.th.DFMsy S t»32^ OT r«,u^»prop« 

64(Fig tsasr^edn^.catifyingaumority. Such certified 64 mayhem 
^fi^tospiri.t-d^^pm^mv-to. I*—**.-** 
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64 may include a hash of the module 62 as a verifying feature, or may include a public 
key for decrypting an attached verifying message. Of course, each module 62 in the 
kernel portion 58k of the path 58 must already have such a certificate 64, or else such 
module 62 cannot be authenticated. The DRM system 32 reviews the proffered 
5 certificate 64 upon receipt from the module 62 and determines if the received certificate 
64 is acceptable for purposes of authenticating the module 62. 

If even a single module 62 in the kernel portion 5 8k of the path 5 8 fails to 
authenticate itself to the satisfaction of theDRM system 32, and the corresponding 
license 16 is silent on the subject, such DRM system 32 declares the path 58 suspect and 
10 refuses to release the digital content 12 to me rendermg apph^on 34 and beyond (steps^ 
1511, 1513). Correspondingly, if all modules 62 in the kemelportion 58k of the path 58 
succeed in authenticating themselves to the satisfaction of the DRM system 32, such 
DRM system 32 declares the path 58 trustworthy and allows the digital content 12 to be 
released to the rendering appUcation 34 and beyond, subject to any and all other 
15 regents hav^^ In the case where authentication is 

performed as each module 62 is detomined and a module 62 fails to authenticate itself, 
the traversal may be completed if for example a need exists to fully define the map of the 
path 58, or the traversal may be stopped without further detennination of modules 62 in 
the path 58. 

A, m sltematiw, and as was alluded to above, the correspond** license 
ldiMyinchideexpudtinstnictiOMastowhattofo 
smtamcnte itself Ofcowe,so*iiistiuctioiBm^ 

d^^tes^amt aooi.^I^i"^ *r— (W» license 16 
m dkm . certain number of non-anftendcanni modnles 62 in the pad. 58, or may 

a^aUnon-aumenticating modules 62. As .uomeraltemati™, in the absence of 
espBcit instructions in the corresponding Scease 16, the DRM system 32 nay mclude 

fom the spirit and scope of the present invention. 



20 
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As described above, the DRM system 32 perfonns the work of 
authenticating each module 62. However, in an alternate embodiment of the present 

_«. a ;„ *. M «h « n^forms the work of authenticating the next 
invention, oawi uiwmwv v* *a» 1 — - - r — 

modules) 62 in the path. Note that each module 62 authenticating the next module(s) 62 
should be a relatively simple task inasmuch as each module 62 should already have 
intimate knowledge of exactly which module(s) 62 are in feet the next modules) 62 . 
Thus, the task of authentication is decentralized, and may be performed on an on-going 
basis as needed 

■ • i.1 ▲ 

embodiment of the present 



10 nmit^ct^^c^a^^t<^^'^^^ mi ', 

to digital content 12 .ndaJlowsuchnutmpinanontotakepl.ee. Foreumple,if 
8a— ingi.p«rfcmed<m«uy.l«s.sig^^ 

content 12 (ft. leaa stgniftamt byte of ead. 2*yte piece of i**, agO. c«rtaintyp«of 
15 n^ipubringcrtuUbeperfbmedon^ 

In one embodiment of the present invention, recognizing ftataome 
staanon. mprire full mtedpnlanon of the digital content 12 by modules 62 in the uaer 
.node portion 58« of the path, U. ft* tunneling isn't always .dvisttble, the user mode 
portion 58U of the pah 58 is also tnversed and authenticated in 4e manner shot™ m 
20 Kg 15 and disc*** above in connection with the kernel portion 58k of the p*h 58. To 
rttadc^moMettmfteus-mrieporuonSSkofto^^ 
.nodule « should »h«dy have an appmpriat. certified 64 as mcerved horn a certifymg 
snmonry. Ofcouma.u-,tmh.c«rtificatec4i..^ 
.nodnfefi cannot be anhenticated. Other antitentioating measure, aside ftom a 

invention . _ , 

Notably.traversalofthensermodeportionSSuofthepamSSts^ 

n^d^thmtmue^offtaken^^ 

difficulty include the likelihood thtt the user mode portion 58n is larger than the kernel 
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portion 58k, the likelihood that the user mode portion 58u has more complex data 
branching, joining and looping structures than the kernel portion 58k, and the likelihood 
thst st least som« of the modules 62 in the user mode portion 58u do not have 
authenticating measures such as certificates 64, among other things. Inan effort to 
5 mitigate such difficulty, and recognizing that some sub-portions 58s of the user mode 
portion58kofthepafh58 should not substantively change the naked digital content 12 
or are otherwise non-essential, and yet are relatively long, each such sub-portion 5 8s is 

inFig.14. That is, at a module 62 just before such sub-portion 58s, the digital content 

10 -i 2 is serried (step 140^ % 
scrambled digital content 12 is de-scrambled (step 1405). Such tunneled sub-portion(s) 

5 8s thus need not be authenticated by the DRM system 32. 

The scramble / de-scramble functionality may be built into each module 
62 so that the DRM system 32 can turn on / turn off such functionality as needed in any 
15 sub-portion 58s of the path 58. Alternatively, dedicated scramble / de-scramble modules 
62 may be built into the path 58 in appropriate locations beforehand without departing 
from the spirit and scope of the present invention. 

In an embodiment of the present invention as described above, if even a 
single module 62 in the user portion 58u or the kernel portion 58k of the path 58 fails to 
20 authenticate itself to the satisfaction of the DRM system 32, such DRM system 32 

apphcation 34 and beyond (steps 1511, 1513 ofFig. 15). However, in an alternate 
embwihnern; fbteach'n^anffl P 01 * 011 58u or 46 

kernel portion 58k of the path 58), such DRM system 32 defines an appropriate sub- 

25 poruon58sindu*ngu^ 

ta!to ,«d^^ta«^^«* 14(8tep 1517 ° fFig ' 15) " 
the DRM system 32 can then declare the altered path 58 trustworthy and thereby release 
the digital contents the rendering ap P Ucation34. Of course, tunneling a sub-portion 
58s having a non-aumenticated module 62 may degrade the path 58 somewhat, perhaps 
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to an unacceptable level. 

As is known, a certificate 64 provided by a certifying authority can and at 
times does become compromised in that the 'secret* of the compromised certificate 64 
becomes discovered and/or public knowledge. Once compromised, a certificate 64 can 
5 be proffered by anyone, including a nefarious entity who wishes to do anon-trustworthy 
act For example, such a nefarious entity can attach a compromised certificate 64 to a 
nefarious module in the path 58. Thus, the nefarious module 62 can proffer the 
compromised certificate 64 to the DRM system 32 to gain the trust of such DRM system 
32, and nevertheless thereafter perform a non-trustworthy act such as storing digital 

10 content 12 in a naked and/or non-secure form. 

When such a compromised certificate 64 comes to light, the certifying 
authority that issued such certificate 64 or another party hopefully is made aware of the 
compromised state thereof. Such certifying authority or other party therefore regularly 
issues a list of certificates 64 that are not to be trusted anymore {i.e., have been 







•55 


mi 



64 is regularly provided to the DRM system 32, and such DRM system 32 stores such 
revocation list 66 in a secure location such as the state store 40 (Fig. 4) to prevent 

tflTnpering therewith. 

Accordingly, and referring now to Fig. 16, as part of authenticating each 

20 module 62, the DRM system 32 of the present invention reviews the proffered certificate 
64 upon receipt from the module 62 and determines if the received certificate 64 is 

B for purposes of authenticating the module 62 (step 1601); and also checks the 
revocation Hst66 tor ensurrthatsprofferedi 



revoked (step 1603). If revoked, the module is treated by the DRM system 32 as if non- 



• MM* 



icated. Preferably, the DRM system a reguumy ^ - — 

revocation list 66 and/or re^ Such objective 

can be fulfilled by for example obtaining / downloading of a current revocation list 66 
prior to obtaining a new black box 30, a new license 16, new digital content 10, or the 
like. Alternatively such objective can be fulfilled by for example updating of a resident 
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revocation list 66 prior to obtaining a new black box 30, a new license 16, new digital 
content 10, or the like. Such downloading / obtaining / updating may be performed as a 
requirement or may be performed automatically and/or transparently. Of course, other 
methods of f ulfilling the objective may be employed without departing from the spirit 
5 and scope of the present invention. 



Further Concepts - Si 



irovai By Wav of Specified Secnrity Values 
As discussed above, the DRM system 32 and/or the black box 30 
authenticates the rendering application 34 and the path 58 to ensure that such items can 
be trusted to handle the decrypted or 'naked' digital content 12 in an appropriate manne 



10 In one em 



•T«Ti I kill-"! 



of the present invention, the p< 



rerifying 





m 







mg 



application 34 and/or each module 62 in the path 58 is of a type secure enough to be 
approved for use by the digital license 16. 

Many different options are available for specifying types of security for a 
1 5 rendering apphcation 34 or module 62 that is approved for use by a digital license 16. 
For example, the digital license 16 may appropriately specify that the rendering 
application 34 or module 62 must be from one or more particular sources / suppliers / 
developers, must be one or more particular products, must be one or more particular 
versions of a particular product, or the like. However, it is to be appreciated that such 
20 specifications are overly limiting in that they may unnecessarily exclude other (perhaps 
newer) sources / suppliers / developers, other (perhaps newer) particular products, other 
; TOweryparticutarvOTom^o 

In one embodiment of the present invention, then, a type of security of a 



imtJl' 



25 1 6 is specified in such digital license 1 6 in a flexible and robust manner mat is not overly 
limiting. In particular, such security type is specified in a scaled manner. One preferred 
security scale is a numerical scale, whereby each rendering application 34 or module 62 
is assigned a number representative of the relative security thereof, and the digital license 
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specifies a range within which the number must be if the rendering apphcation 34 or 
module 62 is to be approved for use. However, other security scales may be employed 
_ «♦ m A nf the oresent invention. Such other scales 

witDOUl aeparuug uuui w — — *■ — 

may for example include letter scales (A, A-, B+, B, etc; AAA, AA, A, BBB, BB, etc.; 

e.g.), plus / minus scales (+++, + +, +, -> **> OT ±e ^ 

, a numerical security scale, in one embodiment of the 

prevention, e^ 

vajuebasedonanumber scale ftomOto 100, whaeO is indicative of a rendermg 
application 34 or module 62 that has been deemed not secure, and where 100 is 







I 







34orm^62tav,.pr^g»rf«c»riV™l»»« l « t50 -«~ ttt,ta,,40 ' 20Or 
^.tate^a^-**-*"**"""* 1 - Sucbdtgrti 

tan* 16 may of ««* m ** *■* W " °' 

5 ^(b^20^70,■»^fl»«),«c.),^'«l»»t*p«rt«l*«' 1 » s P ^, 

and scope of the present invention. 

^tetag appMon 34 or module 62 . specified in me form of a canned 72 attaobed 

34*.*-h*4)— *a Sucicesuficafoni. 

W i ^by.s«oonryvd«o^^«y«^^ te ^ rate70taSed 
..pro^Minedper-net™. P^ly.tecerffic^TlUencr^dto^ 

^ « m the certificate 72 k inoperable with any other .m.dering appneadon 34 or 

.MO. ^ • to "* ,l, !V 1 

25 wU c^34orn»d» 1 .62,^d.b^i»v«dii«d^d»c«rnno^72i.«^ 

Tie security valuecertifyinganmorityis^^ 

t ..™^.i.eertifirini authority. However, it is Id be 
be security value 70 may be anyappiopnatecenuyingauu.. j 

^ gmB du*an»unocmacL.aacert^^ Vm ' t 
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certifying authority could issue an improper certificate 72 to a nefarious entity. 
Accoritogly, me security value certifying ^rily is proferubly one trusted by the 

of one os more such trusted security value certifying authorities 74 in the digital license 
)..._•* S^U^nu.y^ten^hoo^lished.fore^le.hysunngmd^ 

^ ^ n ^«n,loyrfhyth.trt^^'^«^ al ^ , y 74 
10 to d^tes«c«rityvah 1 .70»sp^^inth««rtifioto72n>»yhaany 

^^fi^tospM.andsc^ofttapreeen.invenfion.F^goingmB. 
co m id^on.fto^«yv-ne70n 1 ayu B hto,fer^fi»pa«^»--' 

^ tate ^a W Uo-on34« n odnle«af issue asew.U.hidd^s.hatbndof 

mo dde62a 1 i5sue,andtJ»lite,amongotl«thing^ 
20 to faet,in one embodiment of the praentinvadion, hosed. > suoh factoss 

additt onc^.pl«r^ofs«ur«ysub.va.ue S 70^70b,«o(Fig4) Asshoddbe 
e*h subdue 70, 70b, couidbe indicative of one feutor, , « a - 

25 c^specifyre < ^.a»g«fi>reu*sub.v^^ 

^ fe ^re 5 uttoffn^onsofn«^va 1 ues70,70b,e K .,ost i ehhe. 

I of tie present invention, and referring now to Fig. 1 : 
aue wabBtotJa (hereinafierL-rhe DRRsysttmMl 
tug [for use in accordance with the terms 
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ZmM, 62 meds ft. security crtai. .3 set forth by digital license 16 (step, 1713, 
,„.. ~ tfft.s.curitvvatae 70, 70a, 70b,*:. does not satisfy ttasecunty 

nr if tha securitv value certifying 





■ 


ai 
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certifying authority informauon i% me »j 

application 34 or module 62, and rendering of the correspo 

permitted (step 1713, 1717). 

The aforementioned process for approving i 

t^ t *~U4**«*<<»V~**—- Forex^ttoW™. 
^ ^ ta prfonn* dnnng ta. evatano. as dialed *«. 

. p ig6 , OT ^b.pe t fo» rf ^.fP*^^»"'^ S,,d f S,,W, ' 
fcKg.15. M M »v»,«bea P p^P^f«d»^^on34m.yfbr 

15 e ^ pte ^p 1 a«a t . to .di f foa=a t «»fo,.»^^^«^ Bm 
ftct to be approved in the manner shown in Fig- 17. 

r-^.. - HerM.tr the rmrten K«T ■*>■» <■»■ 
^^^^«nbc^rftnep^«»^«" 

^c^^d^M^loc^.r^coneaponamg^^oon^^ 

(orpa«tagel2p)«iatislbebasisoflnete<iiieat 

Lw^.Ki.tob.awracW^a.chc^-keyd-abaaeM^ 

25 B^beoo»..^^-^^ Mta ^^ M 7 ta ' fe 
M*****-"**—*"- Such *an™th size. sco«s« 

ac ^ ac o n sider*leamoo»..f-^or^«rt»mustbed«d 1 ca tt d to 
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15 



n^taining such database 20 and keeping such database 20 up and running. Moreover, 
such mammoth size likely will require that the database 20 reside on its own server (not 

. ... . 1. • _t_ j MM _ m ir.i<<attrins resources to communicate with one 

shown), ana wiu require w&u o?y*~ ^ 

or more authoring tools 18, one or more content servers 22, one or moreUcense servers 
24, and the like in an efficient manner, especially if any such elements are remote from 
the database 20. Further, and as should be appreciated by now, the amount of 
communications between the one or more authoring tools 1 8, one or more content 
servers 22, one or more license servers 24, and the like will be considerable. 

In one embodiment of the present invention, men, such content-key 

in such embodiment, a license server issuing a license 16 to a user's computing device 14 
obtains the decryption key (KD) to be included with such license 1 6 from the key ID 
included with the license request for such license 16. 

In such embodiment, then, and referring now to Fig. 1 8, the authoring tool 
1 8 authoring such digital content 12 or the content server 22 serving such digital content 
12 selects a key ID for the digital content 12 (step 1 801), and the content server 22 then 
employs the selected key ID as an input to a functiou/0, perhaps along with a secret 
'seed' (step 1803). The output of such function*) is then employed as the symmetric 
, encrvDtion and decryption key (KD) for the digital content 12: 



/{key ID, seed) => key (KD), 



25 



(step 1 805) and such digital content 1 2 is therefore encrypted according to such key 
(KD) (step 1807). Such encrypted digital content 12 may mereafterb, distributed to a 

user's computing device 14 (step 1809). 

The selection of the key ID for the digital content 12 (step 1801) may be 

^invention. For example, such selection may be done randomly, serially, or the 
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like. Moreover, the key ID may be any particular length, have any particular base, be 
alphanumeric, or have other features, again without departing from the spirit and scope 

Importantly, the function/0 is » one-way function. As may be 
5 appreciated, in a one-way function, deriving the output from the inputs) and the secret 
seed is relatively easy, but deriving the seed from the inputs) and the output is extremely 
difficult Aceordmgty.anetoousentitywimknowledgeof^ 
toction^min^^ 

aad the key ID cannot derive the secret seed without enormous effort Of course, if such 

10 nefarious entity shouldbe^ . 
content 1 2 encrypted according to a key (KD) derived from the seed merely by knowing 

the key ID for such digital content 12, 

Any particular one-way taction may be entployed without departing 

^foespataudscopeofmepre^unrctrion For exempMone-wny tosh fo*uon 
15 s^aaasetrntoshmgal^WorMDSnuyto^ 

igonta is mdtefod and/or distributed by RSA Security of Bedford, M*sscbus«ts 

and/or. rebtodenncy. In. drfails of one-way function, an Known or are apparent tout. 

relevant pubfc and therefb» n^ not be ^ 

As was discussed above, one or more license servao 24 are auihonzedto 
20 issneadiptalUcenseldfortodistribuW^ 

stated license snrvera 24 are previd* with m. tocrion/0 snd foe s«d used to 

Mrvm 24 (step 1813). and assuming the request has been approved, foe license server 24 

For the license server 24 to obtain such decrypdon key (KD) m 

^ppHed as par. of the license re*** informed™, ptovidri in foe course of a r*u«t for 
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a digital license 16 (step 703 of Fig. 7). As may be recalled, and with reference to Fig. 3, 
suenkey ID is included with the digital content package I2p that contains the encrypted 

... . „j *u„» ^mah ie therefrom bv the user's computing 
digital content \JL ^siep i eve* ouu » 

deviceU. o»**— ^ 
server 16 obtains the key ID for the digital content 1 2 from the hcense request 
^onCsteplSl^andmenemploysmeobta^keym 
function/) along with the secret seed employed by me content server 22 (step 1819). 
Preferably, the license server 24 and content server 22 agree on the secret seed 
beforehand. Based on such key ID and such seed, such functionjO should of course 
iputthe appropriate decryption key (KD) for the digital content 12: 



10 oui 



)flceyID,seed)=>key(KD) 

digttal fi«»» 16 with »ch toy (KD) th«^ 1* » out*, fl» 

Asmaynowbeappteciate4mthe«DibodimeotoftIiepie8«^invMitio!i 
^ tog dtau-* ft. Bc^s. «« 24 . *m • distal Uo«s. 16 fe dig,*! 

^ a *» tawWg. of tta M*J0 - — — i*** « ' 

^^^-^^^di^co^U^a^ 
sl ^(KD)d^ito« 1 »^^^^ tete '' IDforWChdieOlC0,,tt,,t 



12. 



25 



Unfortunately, it must be expected that such a nefarious entity will indeed 
discove^se^A^^ 

seedischangedfrequenUy. The period ofsuch change can ofbe any period without 
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departing from the spirit and scope of the present invention. * or exampic, 5UCQ p™ 
maybeweekly.daily.monthly.etc. In addition, such period may be irregular, agam 

.„ .... j ^ ^« snirit and scooe ofthe present invention. 

M addinon.1 lesson for employing multiple seeds is to establish isolated 
pdrbgs baweenconfcn. servers 22 and Hose server 24. Thus,, license s«v«r 24 
^oot be able* issue >u«nse W fordigW ««e»< 12«ta» me issuing contod 
senra 22th= TO fa ! i^b«fo re ^on.seedwithr 1 chliceD««rver24. 

Of couree, if the seed change, regularly, >nd/or if multiple seed, are 

e ™^aHc« M s^24U^.digWlic^l«fe^«»««' 12to » dfc1 ' 

* — J A - encrypt such digital content 



12. Accordingly , in one 



4 J 




•4111 






Li 



seed ID, and such seed tt> is memoeoaioiis - 

pac ^ 12 pWcon t *<h. aK ryp»ddi|iUlco n »«12(Fi g .3). IM »ch s«d 

15 iothec^ofa^foradigMUce^ldfa^TOSofF^T,. Thus,o»c«.h. 
Uce*. aeaver 24 ta. appreved die ticens. reque* such license aerva 16 obtain, ft. hey 
ID «d seed ID for the digW conted 12 fiom 0. ft— -*« infimnaaon (stap 
,817) ^d M «nplo P .ft.obt 1 n^h W ID»mi^«•ft•^^ ^1 ^ w,1, 

lh e^^s^3S!^^P^ Wto8 ^ lice0^eSe^Ve^24(Stt!,1819) • " 
20 cou^h^n.^opna^^i.^b^onu.e obtained a«dID. W« 

auei fay n> and such seed, such function/0 should of com*. <»nput .he appropnafc 
de-pdon key (KD) for the digital contort 12, as was discus*! above («ep 1 821). 

ta ^en*^«ntofthepr^h W ennon,thea«dIDi Sa nployed 

..feMfel-fcrt- In pmticm«,m^.mbodm>^m. anting <ooU8 

aeteets . h*y ID for the digital con,™. 12 (.tap 1 801). and .hen employ, to s*ctadkey 

roaS anh V d».fon«i™/Dsfon8»*»«««'' s » i,ffi4ttB!K4IDfolSUChSeed 
tst(S l8( Q), Thaad^otadata^ 
enovntion and decryption key (KD) for die digital content 12: 
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flstsy ID, seed, seed ID) => key (KD), 



(step 1805) and such digital content 12 is therefore encrypted according to such key 
(KD) (step 1807). Such encrypted digital content 12 may thereafter be distributed to a 



user's computing device 14 (step 1809). 

discussed 



i\s was uw'W^ ~~ — ' 

^,di g WBc^l«fetb=di^*^ta 1 «» ,al,12 • ftetably.such 
stated licona. aervere 24 . provided «i* *» «"«°»J0. «ch appHoable «• 

preferably, each license server 24 include, an appropriate seed database 24s (Frg. 0 

* .. .. w fc*n a Coital license 16 IS 



Accordingly, 

L0 storing sucu »«w €u*%* -w^. - e 

L^ed. te Uc^se n «24c«ob* te de^«^(KD) toi nc ta d«™d. 

tnerecmested digital license 16. 

For to M »«,« 24 to obtain snch decryption key W, such been,. 

mi) Prefe^ly.and^w^dl^abov^sucbkeylDandaeodlDare^ppben^ 

boons, id (step 703 ofFig. 7). As nuty again be recoiled, 3. 
OTtkey T D ^^Ia) a »n K »^wftb^dipta.co^p^l2pW«»^ 

_ , j ..^ „.,.k gg«aH m snrh fimctioniE 



25 

Baseionsuchkey ID.suchseeaVi 



(steps, l&l^l&ia), oasBo.w^u^^ 

ZL of oourse ou^nttbo .ppropri*. de.yp6.ukey (KD) for the content .2. 
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fQsey ID, seed, seed ID) => key (KD) 



5 



(step 1821). The license server 24 therefore appropriately packages such key (KD) in the 
digital license 16 that is to be sent out in response to the license request (step 1 823) . 
Such digital license 16 with such key (KD) may thereafter be so sent out to the 

requester's computing device 14 (step 1825). 

By using multiple seeds and a seed© for each seed, then, even if a 

nefarious entity somehow should discover one seed, such nefarious entity can only 

encrypted digital content 1 2 encrypted accordmg to a key (KD) derived from such 



access 



10 12en<ayptedac<^gtoakey(n>)derivednt»nmyotoersee4 



Fgfttr Conor - teffiMgfeflS "1 BlMlt 8,1 M - 

M was dfecuaed above, pattalady wim reference to Fig. 9,theDRM 

^ 32 oblate a new and ^. Cta****)** box 30 from . black box 
^ H 2«ord M Uk C (r*l),^^blac k box^26d t bv m tb«Wmd Mli zcd 

15 bl> *boa30wi*.a W pobHc/priv^a e vpair(PU.BB,FR.BB)(aad/ OT w it h.*« 

h oneembodin^of<tapr^.inva*on, 

the black box server 26 mmvittaalize, «ch bl*k boa 30 by mdmduttagsn 
««ntable prt-gnmi Sle M k delivered to ^ is resident on ft. DBM system 32 / the 
^.computing device 14. Sa*exe=^lepto g r»fflem V bea.dll(dy 11 »mcally 

20 BnWHbnor)^^-^*^^^^^™^ 
without departing torn the spirit and scope of die present invention. 

pntobly, the inmvidndiamon of the bb.dll or the like is performed m a 
ma ^ suc hftat.h«bb.dlla m iDRM S yst a n32«.BORE(Bre*Onc«H.n 

. 1*1 me bb.dll execntabte is individualized since such execntsble 
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contains the •secret' that is the goal of such attack. 

One method for implementing BORE-resistance is disclosed in detail in 
. , «DnvR.p distant Dieital Goods 



10 



15 



Configuration and Distribution Methods And Arrangements" and filed March 14, zu W 
(Attorney Docket No. MS1-394US / 131064.1), hereby incorporated by reference. 
Briefly, the method of BORE-resistance disclosed in such document is achieved in a 
n^cr akin to c^e optimization. As is known, code optimization is a process 
performed asoftware and/or hardware tool such as a code optinnzer or the like (not 

shown). ^^i^^^**^*****"**"* 
h ^oa^^^^^^ m ' Iness^theccdeoptimizerre- ^ 

^ges portions of the code according to the optimization parameters to produce an 

• i a /: ~ MM^Xrme th* came functions) but 

optimized version that is fimcti< 
operationally optimized. Aplu 
be widely distributed. 

However, if the afi 



)timized 



«i code optimizer is run a plurality of times, 





m 




tit 





:h randomized 



rancionii^cu «w r *ww , 

^.bmop^oneny differ «- 

. .. j A t_ ^. uu»v Kav carver 26. as is seen 



operated 



tar 78 in connection with the blade box server 26, as l> seal 
inFig 19. taportasstry, «u=h ope^oo^y diflereat versiees of code operates ^ith s. 
d^p^flow.arnongofcerthins* Aeco^y.adderrinanonofthe 
wo™, flow of o* version to find the secret in the one version is mappbcabletoa 

vesica lta r^lta'b^^o»^»" m,,lKbMktag0f ' 0y0te 
version. Fn« simply, . pi«. of codemndcmtadby^acodernodonrtarTSrs 

BORE-rernstant Mv^M™**^^^^^"* 
0 ,con TO o te co a .«^^^^^^ d ^ ,,Bgta, ' ,he 
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spirit and scope of the present invention. 

it of the present invention, and referring now to Figs. 












10 



. .^..i^M,™ Rni S reauested&omablackboxserver26orthe 
20A-2UC,anew uiuiviuu— «~ - 

bW11 mi 200., 2003 ofr* 20A, *, 901 9,. a. - 

^ aMwWi vi^l»b^80^^^»^«^ DRMSS5,em 



32. 

As was discussed above, 



iadividttalizedbb.d 
perhaps other keys, 



idualized 



Importantly, me new inoiviuu-x. . 1A . 



iiresponding 

iividualized 



generated accortting to sucuoiu^--.. 

« ft Mtev sets and old public/ private key pairs. In 

80 is provided wilh access to old key sets ana o»p 

0 F _ = a.. w«ck box server 26 



in one ernboaimem 01 m C ■ 

^ 84 <F ig. 19) m . ******* - *f * « -I •* to 

^ _. ..i_j-a.aU Vbv sets and 



particular, 
akeymax 

newinoividualizedbb^^ 

12 alona with the new mdividualized bb.dll 80. 

M ^^^^^^^ 
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bb.dll 80, preferably with at least (PR-BB) hidden. In any case, the key file 82 is 
encrypted and the bb.dll 80 includes a 'secret' that allows it to gain access to the 

^ Vav file 82. The secret may be the new black box private key (PR-BB) in 

^chc TO thek W ffle82Uencr^«^8tothen W blad [ b«x P ubUctey(PU. 

5 BB). Altem^«ly.tta^^^ mto ^-^" 18: ^ mettiCkey,i ° WhiCt ' 

msy of come be employ* and «dy the old toy sots to the toy file 82 may be 
a.c^^wMhoutdepertmgftemm. spirit and scop. offl»p«sem invention 

Referring still to Figs. 19 and 20, the process of preparing me new 
10 tadividnatod bb.dll 80 (U. the *»> bb Jll 80") and the new key file 82 (U, me 
key file 82') by the key vwm 84 in response to • revest fiom . DRM system 32 may 
Utopia* in the Mowing man»r. Snch precess n»y be initial by a revest fiom the 
DP^system(riep2003),orby.o«re T «t,fere»mple. Aswillbeeaplamedu. 
mre detail below, snob reques. may be accompanied by one or morepiecesof 

2005). Preferably. me(n-l)m key file 82 la sen. to the black boa s«v«r 26 alongw.fi, a 
digted sigo*»re verifymg sneh <o-l)m key file 82. Alwnativ.ly, fire digW rignarirr. 
could verify the entire mpeat includmg snch (n-l)m toy file 82 and all ofiw conwta. 

b re^toth.«prest,th.key onager 84 checks the digital signature 
20 to verify same and proceeds if the verified is positive («ep 2007). The keynmnaga 
MtireucWatostheO.-Omk* file 82 fiomtt* revest am*, old /old and n.w key sets 
tak^Mft How^.tte( n -l)mkeyfil«82s»d/Mtb.teys«tsm a emare 

.ocoreing to the secret of fi» o!d bb.dll 80 C r=, fi* '(n-1)* bb.Hl 800. as was 
afceuaedebove. Acc«di^ly>c«»fi»keysdsmme( B .l)mkeyfi.e82,meDm 
25 system 32 most inclnde me secret of the (-1)4. lUi 80 with the for the (n)th 
W,.dB80. ofco«ree,fl»s.uuscountttoti»nofio»fi^^^ 
revealed to the world outside the btdll 80, especially if the secret is PR-BB. 

t_ u_ a;*a tn th* hlack box server 2& anAkey 



manager 84. 
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If the secret is embedded in the bb.dll 80, such secret may be supplied to 

, :,ii«5fci,ftKhb.dll 80 is relatively large. 

doing so may oe cumocisuui*, — j 

^ fern when the bb.dU 80 was origbaUy However, such Wata» could 
be^exceed^yhu^si^aieretoumrieiay- 

M „„. embodiment of lie present invention, to, (he seaet U preferably 
^preseamtheheyaeSZtob-^he^Mvered^chMd^key 

^l4-*-^--.»-.MW*»<*»» The hey manager* 









Mil 



.eyffl.Slsuchh^m^MMudedmsuch^ffl.K.h.^sec* 
wnetoithe^orsomeomers^et Thus, wb»th. hey 

LyLs^such^^^aveOab.eh.such^heyflee,. Ofcurse, 
OT i(n. 1 )msec t «4»«s.bemme(n.l)d.keyffl.82in.ftnna.»lable to 4.key 

n^ ff 84,b«».t a vaaabklotberemamderofth.woild. 

As an alternative, the aectet is ah^ady present at the black box server 26/ 

20 kevn^Hin^sn^a^d^Mudrng^s^.n^Jy 

ftrftably.toflt.Cn-l^sec.rtisencwtedaccorfmglo. SUPER 

u u vu».™™»M/kevmanager84(SUPER(secret)),asisseen 
« Vevlmownonlytotheblackboxserva:2o/i^manaso «. 

ke y armngemen* may be employed widtoot departing fiom dte spirit and seopeof 
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the present invention. For example, if the (n-l)th secret is embodied in the (n-l)th key 
set, the (n-l)th key file 82 may include (SUPER(key sets)), (secret(key sets)), and an 

appropriate attached digital cerdawue. 

Note, though, that in some instances, an entity other than the black box 

5 server 26/ key rnanager 84 r^^ 

would not have access to the 'SUPER' key. Such an instance may for example occur on 
aninitialbuildofaDRM system 32 on a compute device H, where the DRM system 
32messencebuUd S aninitialkeyfile82itsel£ In such case, such other entity is 
provided MvmMh-m~V**VW&«* i **«* 

of the 'SUPER' key to decrypt (key sett). 

Has, based on the old key sett from the (o-l)th key file 82, the key 
^ 84 =enpl»co^appropri ate key 8 «ttma«(n)thkeyfile82(sttp2017). Note 

toWta, the black box key pair (PU-BB. PR-BB, ete.) (to 20!3), and »s« the se=e< 
to^m^^keys^.oe^^keyse.s.obepUcedin^ch^keyfil. 

82(sttp2015). M-Bb.*— db-l-fc—H'*— 

joWJmprovidcdtberem. towUm^WV^^"**™*™ 
2 0 ^beemployedtop^euchkeysettm-WkeyfileSlwifi^utdep^fi™ 

w»tf»e^keys^mafiHmieadablebythe(n)fi.bb.dn80. 

Moreover, to fie the (n*h key file 82 and by extension the (n)th bh.dll 80 

25 (HWTD) from the (n-l)th key file 82 or from file initial blade box request (step 2021), 
,ndti OT app^lyplae«^HWlDh.the(n)drkeyfilee2(assho W n i nF.g. 19), 

boapp«^d^i»e^^^^ 0 ^ d ^ 14iffl4ai 
M nray be any spprcpria<e identification that can be obtained from an appropnafc 
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m «moiy location on the user's computing device 14 and that in fact identifies such 
computing device 14. For example, the HWID may be a CPU ID on the computinj 

. - „~i**n. miwiATv nn the contouring device 14, an 

device 14, an laenuner muucu m a uvu- * — , - 



ts of the computing device (size of hard drive, 



identifier developed ftom indicia of eli 
S ^ofRAK^.orth.litoTheHWIDmvb.pUoedina.^iteyn.e.^-. 

ae^rted 8m or «v be left unencrypted if »abM»l. by w of. digital sigoetore or 
foelike. 

Ofc<»rse,the(n)abb^80irni»t8tittbepre I »ired. To do so, the cod. 

r^tato, 78 of the bUck box sav« 26 i. run with r^domiz* parameter 81 and the 
0 ^bb^80m»u»inp«Btop^«individu^bb.d 1 180w i n, S p«. 

^ for ^40*1 infentnttion <m 2025, Kg 20B). Such nmdonnzed p^mete. 

g, „„, b. ed«*d in any WW** dep ^ 18 *" " "* 

^ofthepresaninvention. For^le.snehroKionnadpannnrteBSlm.ybe 

«* mndom, or may include infonmtion aa rttdved in conn«tion with th. rajaet, 
15 Mhffite HWlD(s^20O3).Ifn»HWIDi S «mptoyris S .nndonti J rfpa B m«»r8 1 , 

such HWID maybe obtained in connection with step 2021. 

Prefembly, the cod. optimizer 78 notes wher. foe reserved spac* are 
locJttd in foe pmduced mdmdurfizM bb.dtt 80 (step 2027), and pzovioee such 

^ fc , - ^«*.^^-*^^ 1-W *■ ,,,,d, ** 

r ecd ^».dll80inth. I e S ««dspaees(a<ep2033). As maybe appneuttd, the 
25 reacrvrf * the bb.a 80 m^ compria. any apfnoprUte true**.) at any 

MoM^tonms^in^.aecmtfi^seoetuhwctedmmthn 
r^ sp*«s in such a mantez and th. reserved spac« are armngrf in such a manner 



PCTAJS00/73108 

WO 01/52021 

-85- 



^te^.s*-^^*" 4 """ caKOtbefooodtaany 

pr^matmerbysMfarioiisentity. Any appropna* ■» - 

^p,^ witad deputing fiom the spirit and scop, of ft. p»s«* invention. 

PBfaably, the «served spaces are varied with sespoot to each 
5 ^d^bb-dllSO^P^oftoiBdWd^^p^P^^^eod. 

^^ofto^onp^P^^^^^^ 

. . j^nrinn information must be provided to the 
10 computing device 14, but appropriate decryption mtormano 
10 compuuuB ^ g0 to decrypt such 

' tu • Rfi mav also inject the HWID into the received bb.dll 80 
wicrvoted secret The injector 86 may aiso wj** 

nlonoftoteaetverisp^^^, If the HWID is emptoyed m coimectton 
15 step 2021. -..wui-mrfmiiwvidedto 





• 


bod 


tint 









illl 



ent, 



^p,*.*,-****-"***** Inanoto^ 



i_ FOT «^l«,toti.s»chbb.dn80mo«closely»touse r ' S com I >^ 
« rtoOSl Uke^if^ar.moJripl.bUcsb^se.vasJ^em^c^m.y 

^^ 8o r:^-^se^y-^ 

fc (oXbbb.dU 80, such <n»hbb.4U 80 .*•.—,-.«"»* 82 " 
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essentially ready for delivery to the requesting compu^ v 

delivery, such (n)1h bb.dll 80 is preferably delivered to a signature generator 88 (Fig. 19) 

.. . . . • Cmm *u_ v>K a\\ imA that couoles the generated digital 

that generates a mgiiai sigmmu* «» 

ri go ^tote(n)lhbb.dH80i n an>pp^in i «««(*=!' M35 )- 
__.eri.ted, such digits agnamre is employed (&r rankle) to as«t fl» computmg 

to otherwiM verify tot (n)th bb.dH 80 to not been altered. 

Prior to delivering the (n)thbb.dU 80 end to (n)th key file 82 1» to 
„ r^DFM^Sitob^b^^KP^^;^ 1 . 
Zta. for to (n^b^box 30 (wMch » tottntiaed based on to (n^bb.dU 80) 
(st ep2037). A.i.tob.^r.ci-ei^digWc^n^b.b^ontoco^ 

U boxJOistobetmstod Snebpre^digHaicertficato^ytonbeeddedtoto^ 
reyme82(e S sno™b lK g»9)( S tep2(«9Xn^be^toto(n) t bbb.a80,orn B y 

Wecdinanotorfile, UUtoben^totiftodigMcofifie-eUb-ed^n. 

^n^f^nceueetodigtBlarrifieetetoaatov^. 
, 0 s «ch(n)thbb.dU80An)aiwfilo82,andanyotot 1W topr*ffl«^ 

to ^de*^totore^n g 0KM^32(sto P 2C43). 

25 datauponreceipt^O*). SnciDM^ 

^(n)fi 1 bb.dfi80,(n)«b k ey H e82,^»yotor W ^ I «o«v«4ffl«(stop 

2M7) ' M^be^to^o^^^^ 
— endto^m.yre^.r^v.ly.ongfim.tobeperfcrmed. Tba.ts.to 
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period of time between the trigger and request (steps 2001, 2003 of Fig. 20A, step 901 of 

ui— i- in letmnc ?(M5 2047 of Fie. 

Fig. 9) and the receipt and mstauauon oi ine ucv» »^ — v—r 

20C, steps 907, 909 of Fig. 9) can be considerable. Accordingly, it maybe advisable to 
perform some of the steps inFigs. 20A-20C beforehand. 

In one embodiment of the present invention, then, the code randomizer 78 
is operated beforehand to produce multiple randomized bb .dll' s 8 0, and such multiple 
^ bb dU' s 80 are stored or 'placed on the shelf until needed in response to a 



■Hit ii 



bb du 80 as was discussed al>ove,3uch help file should be stored or placed <m the shelf 
10 ^ s uchbb.dfiorsK*«dms«me«tta.k^mr^.tt^ 

t*. one of the bb.dH-s 80 is -token fern, the shelf and employed as the (n»h bb.dn 80 
.ob.denveredtoftemuesnngnaer'.con^nngde^oeM. Of course, such (n)m 

bbdBSO.nus.beHectedwimu.e.ppropri.tese^^ 

mKvAM steps as shown in Figs. 20A-20C and discussed above muct be performed. 

,5 T operfom>tbemjectionfu»cuon(s^ 

bbdll 80 such a lielp file is indeed en^loyed)tnust be located and appropriately 

ployed Sine, producing «ch randomized bb.dll 80 may be a Ane-inteosrve task, 
^mndomtzesTgtn^op^ontoowns^ifneedbe. Ofcoumifm. 

^ randomizer 78 is operated beforetond, such code randomizer emmot be upended 

HW1D. N^.l«,no«.fa»chmfom^ontsb«Hev^mb.vimlt.th.code 

OTtaaiadonopcndionpafctnredbythe^ 

L, » venation on the aforementioned embodiment, the process hne 
,0^^2025-2035 is pofbnnedc^fbrel.and to prepuce mulnp..eompl«ed 
25 ^^bbdn-sSOwimre^seeretsalreadyinieered Howler, in such 
M «ch secret is aelecred and ployed by me injector 86 or me to and * «- 
Mri ( a la step 2019) for M. retrieval and use by the toy manager 84 or the hke (a la 

•ptocedontheshesf u»ul needed mrespou^ to. reoues. (atop 2003). toresponset. 
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such request (step 2003), then, one of the bb.dll's 80 is 'taken from the shelf and 
employed as the (n)th bb.dll 80 to be delivered to the requesting user's computing device 
. „ , .w.a, into such (rithbb.dll 80 (step 2033) is 

14. tierc, iac acwiwi«u*v— ^ r > 

2025-2035 is pofennrf befbrenand, «ta (n)ih bbdJ 80 eanx* be produced based on any 
i ^oBtoco«ldb.^»I^oftom r «»t,sud. ffl teHWID. Agsm, 

to^ bob. of such tofbrmsnon is beEeved to be vtol to fcesfb^ennooed process 



Ike. 



10 



In particular, the bb.dll 80 need not absolutely have the HWID inj ected 



appreciated, 



Mch bb.dn80»ata^W to suchcoo^daric.l4b«^*.^^n M « 
co^suchHWroarirstr^Sedtosuohcon^ 

(n)tn bb.d B 80co^te« a «^^'»^» d '^ ,M l' ale82 - Tbo.,^ 
15 ^bl^b«30^cbb K h^ ! «ch( n )mi«yffl.82and S11 ch(»)tt,bb.dn80 1S 

ttghflynrftoo.associ^^thema-scon.punngd.vic.R Accordingly, «*> 
^grated bl«* box 30 cannot b. openly transferred among multiple compubng 

^.fcpsrttata.snciupgnufedbl^^ 

sm «n W B»^to^c^«th«o™oo 1 4,tb.tran S f«n^b ta ckb,x30 

- ..^ j«,^o 1 a otiH Hofts not alufl 









EL 



a^^uestedrenderingtop^onanchothaco^ 

A, was stated beforehand, each bb.dH 80 abould be unique with a uniqur 

25 saoftays. H^.h.»^«^^ rfto ^^r h k H,dn h 

ofcopieashouUbereUnvelysnAonmoord..^ 
.i^W^b^n^abasemi^bbAaOknesWle- 



the HWID 
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corresponding key file 82 during updating), throughput in producing such bb.dll's 80 by 
the black box server 36 is significantly increased, with little if any real reduction in 



V T ViMU www— --y - 



Further rnnce pts - Backup and Restore 

As was just discussed, the black box 30 of the DRM system 32 includes 
the (n)Qi -V file 82 and the (n)th bb.dll 80 and is tightly tied to or associated with the 
user's computing device 14 by including the HWID from such computing device 14. 
Thus, each license 16 containing a decryption key <KD) encrypted according to a black 
box public key (FU-BB) stored in the (n)m key file 82 is also tightly tied to the 
10 computing device 14, as is the DRM system 32 itself. If me DRM system 32 senses that 
the HWID of the computing device 14 is not the same HWID specified in the black box 
30, such DRM system 32 concludes that it is not for the computing device 14 and 
prohibits some if not all rendering of digital content 12 by such DRM system 12. 
Accordingly, a license 1 6 issued to one DRM system 32 on a first user machine 14 is 
15 bound by a 'chain' to the HWID of the first user machine 14 by way of the key file 82 
and cannot be employed in connection with a copied DRM client 32 on a second 
machine 14. 

However, on occasion, the HWID of the computing device 14 changes 
through ao fault of the user and without any deceptive or nefarious intent on the part of 

20 ^mm. M^mMO^^vmm^mM^m^tm^^ 
14 with a different DRM system 32 thereon. As other examples, the HWED may have 
become corrupted, may have been re-assigned, or otherwise may have changed due to a 
change in the computing device 14 such as a new operating system or a new piece of 
hardware or software. In such a situation, then, it is preferable that a mechanism be 

25 available to re-establish the chaan between each license 16 and the changed HWID. 

Generally, in the present invention, any such mechanism essentially 
contacts a backup / restor* server and sends one ox moxemes or me like to such backup/ 
restore server, where such files existed in connection with the prior HWID and were 
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previously saved and include important tying information. Such backup / restore server 
then alters each file or creates new corresponding files and then returns such files to the 
DRM system 32, where such altered / new files appropriately re-establish the chain 
between each license 16 and the changed HWID of the computing device 14 upon which 

5 the DRM system 32 resides. 

Remember now that a piece of digital content 12 is encrypted according to 

a decryption key (KD). Remember also that a corresponding license 16 issued for a 

DRM system 32 contains the decryption key (KD) encrypted according to a black box 

public key (PU-BB), Remember in addition that PU-BB (If old) is expected to be in the 

10 key file 82 of the black box 30 of such DRM system 32. Remember further that the key 
file 82 includes the HWID of the computing system 14 upon which the DRM system 32 
resides. Now, if the HWID were to change, either because the computing device 14 has 
legitimately changed, or for some other legitimate reason, two scenarios can occur the 
same DRM system 32 with the same black box 30 and the same key file 82 exists in 

15 connection with the new HWID, or a new DRM system 32 with a new black box 30 and 
a •pristine' key file 82 exists is installed in connection with the new HWID. 

In the former case, the new key file 82 has the wrong HWID, but has the 
old key sets having the old keys for the older licenses 1 6. Thus, the link in the chain 
between each license 16 and the computing device 14 that is missing is the correct 

20 HWID. In the latter case, the new key file 82 has the right HWID, but does not have the 
old key sets having the old keys for me older licenses 16. Thus, me link in the chain 
between each license 16 and the computing device 14 that is missing is the necessary old 
key sets in the old key file 82. It is necessary, then, at least in the latter case, to maintain 
a saved copy of the old key file 82. However, to adequately address either case with a 

25 single protocol, it is necessary to maintain a saved copy of the old key file 82, as will be 
explained in detail below. Any particular mechanism may be employed to save such 
copy of the old key file 82 without departing ftom the spirit and scope of the present 



it'i^tiami 



In particular, in one embodiment of the present invention, each license 16 
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is re-tied to the computing device 14 by employing the aforementioned backup / restore 
server to appropriately alter the HWID in such old key file 82 to correspond to the 
current HWID of the computing device 14 upon which the DRM system 32 resides, and 
then by appropriately installing such old key file 82 in such DRM system 32. As should 
5 be appreciated, such protocol adequately addresses each of the aforementioned cases. 
Here, the black box server 26 may act as the aforementioned backup / restore server, 
although another server such as a dedicated server may be employed without departing 
from me spirit and scope of the present invention. 

Referring now to Fig. 21, in such embodiment, when a backup / restore 

10 function is necossary due to a ch^ 

HWID on a new computing system 14, the DRM system 32 sends a backup / restore 
request to the black box server 26 acting as the backup / restore server (step 2101). Such 
request may be sent automatically or upon approval by the user of the computing device 
14. The user may also actively initiate the request wimout departing from the spirit and 
15 scope ofthe present invention. As was discussed above, me request mete 

file 82 (i.e., the saved copy having the necessary old key sets) and the new / changed 
HWID (i.e., 'the new HWID'). Of course, the request may also include other 
information without departing from the spirit and scope of the present invention. 

In response to the request, the backup / restore server (black box server 
20 26) locates the HWID already present in the old key file 82 (Le., 'the old HWTD')and 
appropriately replaces such old HWID with the new HWID (steps 2103, 2105), and then 
sends the changed old key file 82 back to the DRM system 32 (step 2107). Preferably, 
the old key sets stored in such changed old key file 82 are not altered in the course of 

the HWID therein. Accordingly, such old key sets will be available tolicenses 
16 stored on the DRM system 32 when the changed old key file 82 is appropriately 
installed in the DRM system 32 residing on the computing device 1 4 at issue. 

In one particular form ofthe present embodiment, the location and 
replacement ofthe oldHWID (steps 2ia3*21Q5)Mi>jsfom^ 
alone operation so that the old key file 82 is not otherwise modified. Of course, even if 



iKHlMI 
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only theoldHWIDin such old key file 82 is replaced with the new HWID, any items in 
the oUkeyffle82thatrelyonsuchoW For example, digital 

.... J: „- + „i ^ w_« in the old kev file 82 that are based at least in part on 

ceruncaics auu/ui ui^v*** 

the old HWID must be altered or re-written based on the new HWID. Moreover, the 
bb.dll 80 corresponding to the old key file 82 must also be altered if it relies on such old 

HWID. Ycimm^mAm^^^^^^^^^ 
injected into the corresponding bb.dll 80, and may be employed as another mechanism to 
tie theblack box 30 attaining suchbb.dll 80 to the computing device 14 upon which the 

DRM system resides. 

As should be appreciated, then, it may be exceedingly difficult to perform 
each and every necessary alteration wim respect to the oW HWID m bom me old key file^ 
82aiMimecorrespon(lingbb.dll80. Further, such alterations quickly become 



the request (step 2101). In aaaraon, n may v« j «™ » 

15 aUbutimpossibletoperfo^ 

corresponding bb.dll 80 and now must be located without the assistance of any help file, 

or if the corresponding bb.dll 80 is not available. 

Accordingly, in a preferred embodiment of the present embodiment, the 

re-tymgisperfom^^ 
20 manner shown in Figs. 20A-20C. As should be appreciated, though, such a 're-ue 
upgrade' differs from a 'regular upgrade' in that the (n-l)th key file 82 is not forwarded 

_. Instead, *** J 



to the key manager 84, as in a regular upgrade ywv *vw, . . e . — -,- — 

2005' of Fig. 20D). Also, such a 're-tie upgrade' differs from a 'regular upgrade' » that 
meHWIDobtamedisnotmeoldHWrofromme(n-l)mkeyffle 
upgrade(step2021,Fig.20B). Instead, and as seen in Fig. 20D, such HWE) obtained 



HWID 



infoimatioai^^ — 

tie upgrade in such embodiment is substantially the same as the regular upgrade. As 
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should now be apparent, such re-tie upgrade is a relatively simple way to alter the HWID 
in the key file 82 since the structure of Fig. 19 and the steps of Figs. 20A-20C (including 

viff nwft aencrallv take care of all details regarding tne 

01 COUISO LUC auU9Uvuuvuu *u * «o' — — / » — * 

placement of the new HWID in the normal course of performing the upgrade. Moreover, 
5 are-tieupgradehasmeaddedbenefitofprori^ 

an upgraded black box 30. 

The changed key file 82 (or upgraded black box 30 with re-tied key file 
82) is received by the DRM system 32 fiom the backup / restore server and appropriately 
installed in such DRM system 32 as part of Ihe black box 30 (step 2109 of Fig. 21, steps 
10 2045', 2047' of Fig. 20D). The chainbetween each license 16 and the new HWID of the ^ 
computmgdevicel4uponwWchmeDRMsystem32resid^ In 
particular, each license 16 contains a decryption key (KD) encrypted according to a black 
box public key (FU-BB) stored in the changed key file 82 (or upgraded black box 30 
with re-tied key file 82), and therefore is tied thereto. Correspondingly, the black box 30 
15 of the DRM system 32 includes the changed key file 82 (or upgraded black box 30 with 
re-tied key file 82) which now includes the new HWID of the computing device 14, and 
therefore is tied to such computing device 14. 

In one embodiment of the present invention, rather than altering or 
upgrading the key file 82 / black box 30 to complete the chain between each license 1 6 
20 and the new HWID of the computing device 14, each existing digital license 16 

associated with the DRM system 32 is re-written to be tied to the black box 30. This of 
course assumes that such black box 3 0 of such DRM system 3 2 is tied to the proper 
HWID. mparticular,thedecryptionkey encrypted by an old PU-BB ( PU-BB[old] (KD) 
) in the license is replaced by such decryption key encrypted by the PU-BB of the 
25 property tiedblackbox 30 o^ Here,again, 
the aforementioned copy of the old key file 82 must be saved, for reasons will be 

explained below. 

Tojfr^a.iisense^ 
Fig. 22, the DRM system 32 at issue sends the license 1 6 to a backup / restore server, 
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along with the copy of the old key file 82, and a copy of ( PU-BB[new] ), perhaps in the 
form of an appropriate certificate (step 2201) (i.e., the same information that is normally 

sent 10 me accuse server x*t uiinug a repeal iui a uwcuac vi wmov, muiuy.iv 

licenses 16 may be sent to the backup / restore server for re-writing without departing 
5 from the spirit and scope of the present invention. Here, the backup / restore server may 
be the license server 24, the black box server 26, or another server, such as for example a 
dedicated server, without departing from the spirit and scope of the present invention. 

The backup / restore server here extracts ( PU-BB[old] (KD) ) from the 
license 16 (step 2203), extracts the old key sets from the old key file 82 in a manner akin 
10 to that discussed above in connection with step 201 1 of Fig, 20B (step 2205), locates the 
( PR-BB[old] ) corresponding to the ( PU-BB[old] ) of ( PU-BB[old] (KD) ) from the 
license 16 (step 2207), applies ( PR-BB[old] ) to ( PU-BB[old] (KD) ) to obtain (KD) 
(step 2209), encrypts (KD) based on (PU-BB[new]) to produce ( PU-BB[new] (KD) ) 
(step 221 1), and then inserts such ( PU-BB[new] (KD) ) back into the license 16 (step 
15 2213). Such re-written license 16 with ( PU-BB[new] (KD) ) may then be signed and 
returned to the DRM system 32 at issue (step 2215) and stored in the license store 38 

(Fig. 4) (step 2217). 

The chain between the re-written license 16 as received from the backup / 
restore server and the new HWID of the computing device 14 upon which the DRM 

20 system 32 resides is now complete. In particular, the license 16 contains a decryption 
key (KD) encrypted according to the black box public key (PU-BB[newj) of the black 
box 30 of the new DRM system 32, and therefore is tied thereto. Correspondingly, the 
black box 30 of the new DRM system 32 includes akey file 82 which includes the new 
HWID of the computing device 14, and therefore is tied to such computing device 14. 

25 It is to be noted that the present embodiment requires that each license 16 

be individually re-written. This of course can be quite cumbersome and time-consuming. 
However, the present embodiment does have a significant advantage in that each 
existing.liceii»^ 

option would be specified by the issuer of the license 16. 
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In another embodiment of the present invention, rather than re-writing 
each license 1 6, such license 1 6 is re-issued by the issuing license server 24 in the 



i . t. 1. l^mca 1 £ wav inr.lnHft ATI ontion to 

manner set lonn aoovc. n» uciuic, s&ix vawuu 6 *w —« v * 



prevent such re-issuance. Of course, re-issuance cannot take place if the license server 
5 24 no longer is able to re-issue the license 16 for any of a variety of reasons. 

In a further embodiment of the present invention, rather than having a 
backup / restore server re-write each license 16, each license 16 is re-written by the DRM 
system 32 itself. As should be appreciated, such re-writing by the DRM system 32 is 
possible if a backup / restore server is employed to extract the old key sets from the old 
10 key file 82 in a manner akin to that discussed above in connection with step 2011 of Fig. 
20B. Otherwise, the DRM system 32 and toe black box 30 thereof has access to all keys" 
necessary to perform such re-writing. Of course, providing the DRM system 32 with the 
functionality to re-write a license 1 6 in the manner disclosed herein must be done 
guardedly. Specifically a nefarious entity must not be allowed to employ such 
15 functionality to in effect issue new licenses 16. 

As may be appreciated, a backup / restore server may be employed in any 
of the manners discussed above to legitimately copy a black box 30 of a DRM system 32 
to other computing devices 14, or to legitimately re-write licenses 16 to work on other 
DRM systems 32. In the former instance, for example, a key file 82 from a first 
20 computing device 14 may be employed as the old key file 82 hi connection with a 

backup / restore of a second device 1 4, thereby in effect allowing the second device 1 4 to 
ploy licenses 16 written for the first device to render digital content 12 on such second 
device 14. Accordingly, a user can render digital content 12 on multiple machines 14 

under his / her control. 

Of course, a nefarious entity may use the backup / restore server and the 

same techniques to illegitimately copy a black box 30 of a DRM system 32 to other 
computing devices 14, or to illegitimately re-write licenses 16 to work on other DRM 
systems .32. Pref^^then.tb&backup,/ restore server includ es an a pp ropriate fiaud 
detection mechanism to prevent or at least curtail such illegitimate activities. For 
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example, the backup / restore server may access a fraud detection database in which it 
notes the key sets in each backup / restore request, and may be programmed to refuse a 

im ton often, such as for 

backup / restore request u mc b-gj »w* •« <-« -*- - 

example more than three times in a six month period. Of course, other frequencies and 
5 periods may be employed f^*p^flmlte^«idioopeaftfi0p«««t 
invention* 



CONCLUSION 

Xhe programming necessary to effectuate the processes performed in 
connection with the present invention is relatively straight-forward and should be 
10 apparent to the relevant programming public. Accordingly, such programming is not 
attached hereto. Any particular programming, then, may 1 



Hill* 



present invention without departing rrom me spun ^ — 

m the foregoing description, it can be seen that the present invention 
comprises a new and useful enforcement architecture 10 that allows the controlled 

15 rendering or playing of arbitrary forms of digital content 12, where such control is 
flexible and definable by the content owner of such digital content 12. Also, the present 
invention comprises a new useful controlled rendering environment that renders digital 
content 1 2 only as specified by the content owner, even though the digital content 1 2 is 
to be rendered on a computing device 14 which is not under the control of the content 

20 owner. Further, the present invention comprises a trusted component that enforces the 
rights of the content owner on such computing device 14 in connection with a piece of 
digital content 12, even against attempts by the user of such computing device 14 to 
access such digital content 12 in ways not permitted by the content owner. 

It should be appreciated that changes could be made to the embodiments 

25 described above wimoutdepa^^ 

understood, therefore, that this invention is not limited to the p articular embodiments 

disclosed,,butitis intended-to cov 



present invention as defined by the appended claims. 
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CLAIMS 

1. A digital rights management (DRM) system operating on a 
j..^. „,w , ,, s «r quests that an encrypted piece of digital content be 

COmpUUHg UWUWW »,**w*- — » 

rendered by the computer device, the computing device having an identifier, the DRM 
system comprising a black box for performing decryption and encryption functions in the 



5 DRM system, the black box containing the identifier of the computing device, the black 
box thus being tied to the computing device. 

2. The DRM system of claim 1 wherein the black box also contains 
atleastoneblackboxpubhckey.meDRMsystemfurm^ % 
corresponding to the digital content, the license including a decryption key for 
10 decrypting the encrypted digital content, the decryption key being encrypted accordmg to 
ablackboxpubhckeyofmeb^ 
by extension the computing device. 

3 . The DRM system of claim 2 wherein the black box includes a key 
file and an executable, ^m***^***"^***** 1 "' 

15 4 . The DRM system of claim 3 wherein the key file of the black box 

also includes the identifier of the computing device. 

5. The DRM system of claim 1 wherein the black box includes akey 
file and an executable, the key file containing the identifier of the computing device. 

6 . m combination with the DRM system of claim 1 , wherein the 
20 computingdevicoisafirstcomputingdevico,amem^ 

obtaining the identifier in the black box; 
obtainmfrthe.^^ 

determining whether the identifier in the black box is the identifier 
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of the first computing device; and 

prohibiting at least a portion of rendering of the digital content by 
the DRM system if the identifier in the black box is not the identifier of the first 
computing device, 

5 wherein use of the black box is restricted if such black box is duplicated 

on a second computing device having an identifier different man the identifier of the first 
computing device. 

7. in a digital rights management (DRM) system operating on a 
computing device when a user requests that an encrypted piece of digital content be 
10 rendered by the computer device, the computing device having an identifier, the DRM 
system comprising: 

a black box for performing decryption and encryption functions in 
the DRM system, the black box including a key file and an executable, the key file 
including at least one black box public key and being expected to include the identifier of 
15 the computing device, the black box thus being tied to the computing device by inclusion 

of such first identifier, and 

a digital license corresponding to the digital content, the license 

including a decryption key for decrypting the encrypted digital content, the decryption 
key being expected to be encrypted according to a black box public key of the key file of 
20 meblackbox,meUcensethusbeingtiedtomeblackboxa^ 

computing device, 

a method of re-tying the black box and the license to the computing 

device if the identifier of the computing device is in fact different than the identifier in 

the key file of the black box, the method comprising: 

receiving from the computing device the key file of the black box, 

and also the different identifier of the computing device; 

pjodncfofcadi^ 

of the received key file and the received different identifier of the computing device; and 
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forwarding the different key file to the computing device and the 
DRM system thereof for appropriate installation thereon. 

8. Hie method of claim 7 wherein producing the different key file 
comprises altering the received old key file to include the received different identifier of 

5 the computing device. 

9. The method of claim 7 wherein producing the different key file 
conqrises creating a new key file with the black box pubfic key of me received old key 
file and the received different identifier of the computing device. 

10. Hie method of claim 7 wherein the key file of the black box is a 

10 first key ffle,themetnodc^^ 

management (DRM) system, the new black box including a new key file, the new key 

fflehavmganewsetofblackboxk 

keys, and also including the different identifier of the computing device, the method 
15 comprising: 

receiving the first key file, the different identifier of the computing 

device and the new set of black box keys; 

extracting the old sets of black box keys from the first key file; 

and 

predating the new key file iKl" 4 "* new ** of bl>ck boX 
^^oldsdaofbl^boxkcys.Mdthcdia^i^of*."^^ 

as an output bawd ob toe extracted oM sets of black box keys frore the first Iwy file* the 

device; and . 
25 fbiwarding^^ 

system. 



20 
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1 1. The method of claim 10 wherein the first key file is a previously 



mtvwrmA \rmxt 



12. The method of claim 10 wherein the first key file is a current key 

file. 



• 



5 13. The method of claim 10 wherein the new black box further 

includes a new executable, the method 

receiving a master executable and randomized optimization 

parameters; 

producing the new executable based on the received master 
1 0 executable and the received randomized optimization parameters and based on a code 
optimization / randomization technique; and 

forwarding the produced new executable to the requesting DRM 

system. 



14. The method of claim 13 wherein producing the new executable 
1 5 comprises producing the new executable with space reserved therein for additional 

information. 

15. The method of claim 14 wherein producing the new executable 
comprises producing the new executable with space reserved therein for additional 
information to be injected by an injector. 

20 16. The method of claim 14 wherein producing the new executable 

comprises injecting the received different identifier of the computing device into at least 
apportion o£&e.sesetved r spafie« 
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17. The method of claim 13 wherein producing the new executable 
comprises injecting the received different identifier of the computing device thereinto. 

18. The method of claim 13 wherein producing the new executable 
comprises producing the new executable bas^ at least in part on the received different 
identifier of the computing devico and based on a code optimization / randomization 



technique. 



19. In a digital rights management (DRM) system operating on a 

conmutingdevicewhena*^ % 
rendered by the computer device, the computing device having an identifier, the DRM 

10 system comprising: , 

ablackbox for performing decryption and encryption functions m 

the DRM system, the black box including a key file and an executable, the key file 

15 of such first identifier, and 

a digital license corresponding to the digital content, the license 

20 computing device, 

a method of nMying the blaek box and the license to the "mp*"* 

d ^ifd»d«^teyi.m^«^-^ tolbbckbolpoblickey 

^ta^bl^boxteyin^k.yfflcofteblaokb.x.wh.rdntod^ 
bU*boxp»bUc^U i n.p^^»v«d..d l «yffl e ,«««^oo mp n 8 mg: 
25 receiving ftom the computing device the pieviously saved old key 

device; 
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producing a different key file having the different black box public 
key ftom the received old key file and the received identifier of the computing device; 



4 

OUU 



forwarding the different key file to the computing device and the 
5 DRM system thereof for appropriate installation thereon. 

20. The method of claim 19 wherein producing the different key file 

computing device. 

21 The method of claim 19 wherein producing the different key file 
10 comprises creating a new key file ™th the different black box public key of th C revived 

old key file and the received identifier of the computing device. 

22 Ttomemodofclaiml9comprismgpro^ 

file ^wr^m^^-^^^^^**"** 

the identifier of the computing device, the method comprising: 

receiving the previously saved old key file, the identifier of the 

computing device and the new set of black box keys; 

extracting the old sets of black box keys from the previously saved 

* 

old key file; «»i „, , , . 

prcdocing to ace key file MmHng the new set of black box 

keys , to old m of buck box keys, and to idennfier **. ^ . . . 

o«put bes* on to exacted old se* of black box keys Iron, to previ«^«d key 



15 



20 



25 

device; and 
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forwarding the produced new key file to the requesting DRM 



system. 



23 . The method of claim 22 wherein the new black box further 

includes a new executable, the method comprising: 
5 receiving a master executable and randomized optimization 

parameters; 

producing the new executable based on the received master 
executable and the received randomized <jptimization parameters and based on a code 

optimization / randomization technique; and 
10 forwarding the produced new executable to the requesting DRM 

system 

24. The method of claim 23 wherein producing the new executable 
comprises producing the new executable with space reserved therein for additional 
information. 

15 25. The method of claim 24 wherein producing the new executable 

comprises producing the new executable with space reserved therein for additional 
information to be injected by an injector. 

26. The method of claim 24 wherein producing the new executable 
comprises injecting the received identifier of the computing device into at least a portion 

20 of the reserved space. 

27. The method of claim 23 wherein producing the new executable 
comprises injecting the received identifier of the computing device thereinto. 



28. The method of claim 23 wherein producing the new executable 
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comprises producing the new executable based at least in part on the received identifier 
of the computing device and based on a code o0*a**lml*^*^ 

29. In a digital rights management (DRM) system operating on a 
computing device when a user requests that an encrypted piece of digital content be 

renderedbymecompu^^^ 
system comprising: 

, black box for performing deoypSon and encryption fartoosui 

t b s b 1 a C kb M teWngWfo^^^^^ i ^ 0f!UChfiIStidenb ^ eI, 

, di gittlHc« I isec«re S pM>d^ 
tab^.d.cr^keyfotd^fo.^^co^fo.^ 

^be i ng^fo*e^-^ to>blaCl:teP " b,iClay0ftete!, 
15 lte b b ckbox,fo«^4mb^ti»dfofo.bWb<» m db,« teOS »fo. 

computing device, 

a method of re-tying the license to the black box and the computing 

2Q receiving from the computing device the license and a current 

black box key of the black box; 

producing a different license having the decryption key thereof 

forwarding the different Ucense to the computing device and the 
25 DRM system thereof for appropriate installation thereof, 
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ffle, the method comprising: 

receiving ftom the computing device the previously saved old key 
. ^,„uu^«,K«cVev m dmedifferentblackboxprivatekey,and 
file having tne ainereni r 

extn^ to (flffira* bUdt box pnval. toy ftom «» recavcd 
piously art old toyffl*^ ^ ^ ^ ^ ^ ^ 

..^^tottedifistenlblackooiiiobtotoy; 

applytag the emoted different bUdc box private key to the 

produce the decryption key, . 

encrypting the produced decryption key according to the received 

currentblackboxpubUckey; AM ^i m 

producing the different license having the encrypted decryption 

forward 
DRM system thereof for appropriate installation thereon. 

3 1 The method of claim 29 comprising performing the receiving, 



20 device. 



the receiving, 



32 Ttemethodofdrim29am?ririiigperfonmiig 
* end feeding ~ * • «— — *« ^ ^ 



ucing, 
device. 



33 Ttomethod.fotam32co n ^perfonoi ng tto re «^ 
25. vM ^f*^^*^^»*°^^ 
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